Hydra not returning all iframes on front channel logout?

[icamys]

Hi team! Thank you for your fantastic product.

I am testing the OIDC front channel logout feature, and I noticed that if I go through the authorization code flow using two OAuth clients, a new Hydra authenticated session is created for each of them. As a result, when I call the /oauth2/sessions/logout?id_token_hint=..., Hydra returns an iframe with the front channel URI for a single client, as only one client is associated with the authenticated session; however, I expect two iframes to be returned to logout from both clients to perform single logout. Is this behaviour by design, or am I missing something?

Versions used:
Hydra: v2.2.0
Kratos: v1.3.1

I also deployed both Hydra and Kratos locally and used the hydra perform authorization-code command to execute the flows.

[vinckr]

Can you provide more information on what you are doing, how does the flow look step by step, what are some steps to reproduce this behaviour on our side?

In general:
Do not use iframes to embedd authentication flows! It is very unsafe, opens up clickjacking and session hijacking attacks and is also broken on most modern browsers, because e.g. safari, firefix, and brave all block cookies in iframes: https://www.ory.sh/docs/troubleshooting/iframes