From 18786ec2f4c2fa38bcf627b1c3833868e2e093f0 Mon Sep 17 00:00:00 2001 From: Arne Luenser Date: Mon, 22 Jun 2026 17:13:30 +0200 Subject: [PATCH] docs: document at-most-once processing of OAuth2 logout requests Update the logout logic diagram and add a section explaining that each logout request is processed at most once. When a logout_verifier is reused or the login session is already gone, Ory only redirects to the post_logout_redirect_uri and does not re-run front- or back-channel logout callbacks, so clients are notified at most once per session. Documents the behavior introduced in ory-corp/cloud#11260. --- docs/oauth2-oidc/logout.mdx | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/docs/oauth2-oidc/logout.mdx b/docs/oauth2-oidc/logout.mdx index 848a19839b..8ee25dba00 100644 --- a/docs/oauth2-oidc/logout.mdx +++ b/docs/oauth2-oidc/logout.mdx @@ -126,8 +126,22 @@ RPI-->|has session cookie|LUI RPI-->|no session cookie|RPI2 LUI-->|ask for user consent|LUI LUI-->|redirect with logout_verifier|RPI2[Process logout request] -RPI2-->|execute front/backchannel logout, delete session cookie|RPI2 -RPI2-->|No post_logout_redirect_uri|End -RPI2-->|Has post_logout_redirect_uri|End2[Redirect to post_logout_redirect_uri] +RPI2-->|session already revoked or logout_verifier reused|End2[Redirect to post_logout_redirect_uri] +RPI2-->|valid session - execute front/backchannel logout and delete session|Done[Logout complete] +Done-->|No post_logout_redirect_uri|End +Done-->|Has post_logout_redirect_uri|End2 `} /> ``` + +## Logout requests are processed at most once + +Each logout request is handled at most once. When Ory processes the `logout_verifier`, it looks up the login session that the +request belongs to. If that session is gone, Ory stops the flow and only redirects the browser to the `post_logout_redirect_uri` +(or the configured fallback URL). The session can be gone for two reasons: + +- The `logout_verifier` was reused. The user already logged out and may have signed in again since. Ory does not log the user out + of the newer session. +- The session was already revoked by another logout, an API call, or session expiry. + +In both cases, Ory does not call the front-channel or back-channel logout callbacks again. Each registered client is notified at +most once per session, so clients can treat these callbacks as idempotent.