When sending the following request, the request is successfully finished but the login screen is still skipped. The user doesn't need to login again.
curl --location 'http://localhost:8080/connect/logout' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'id_token_hint={id_token_hint}' \
--data-urlencode 'post_logout_redirect_uri=https://example.com'
Only when sending request with the Cookie, the login screen is presented again.
curl --location 'http://localhost:8080/connect/logout' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'id_token_hint={id_token_hint}' \
--data-urlencode 'post_logout_redirect_uri=https://example.com'
-H "Cookie: JSESSIONID={sessionId}"
Could the session be invalidated based on id_token_hint and not the Cookie value?
I found in the class OidcLogoutEndpointFilter, the logout is performed based on the provided Cookie, so if cookie is not found, the session cannot be invalidated.