End kratos session in prelogout as well

backend/web/login/login.py

@@ -580,15 +580,32 @@ def prelogout():
 
     current_app.logger.info("Logout request hydra, subject %s", logout_request.subject)
 
-    # Accept logout request and direct to hydra to remove cookies
+    # Accept logout request. We ignore the redirect URL
+    # (`hydra_return.redirect_to`) because we also need to do the kratos logout
+    # browser flow and we can't do both.
     try:
         hydra_return = hydra_admin_api.accept_logout_request(challenge)
-        if hydra_return:
-          return redirect(hydra_return.redirect_to)
-
     except Exception as ex:
         current_app.logger.info("Error logging out hydra: %s", str(ex))
 
+    # Now start ending the kratos session.
+    kratos_cookie = get_kratos_cookie()
+    if not kratos_cookie:
+        # No kratos cookie, already logged out from kratos.
+        current_app.logger.info("Expected kratos cookie but not found. Redirecting to hydra post-logout");
+        return redirect(hydra_post_logout)
+    try:
+        # Create a Logout URL for Browsers
+        kratos_api_response = \
+            admin_frontend_api.create_browser_logout_flow(
+                cookie=kratos_cookie)
+        current_app.logger.info(kratos_api_response)
+        return render_template("clear.html",
+            url=kratos_api_response.logout_url)
+    except ory_kratos_client.ApiException as ex:
+        current_app.logger.error("Exception when calling"
+            " create_browser_logout_flow: %s\n",
+            ex)
 
     current_app.logger.info("Hydra logout not completed. Redirecting to kratos logout, maybe user removed cookies manually")
     return redirect("logout")