We are successfully using Kratos (and Oathkeeper) for enabling our users to sign in using their Microsoft Azure AD accounts. Now we want to be able to automatically sign out from Kratos when the user signs out from the Microsoft session on another page (e.g. office.com). I have entered a valid URL in the field called "Front-channel logout URL" in the Azure configuration, and it is called as expected, with a parameter called "sid" appended to the URL as a query param. (I would have expected the Kratos cookies to be appended to the request but they're not - in that case this would have been very simple)
My problem is now that I don't know what to do with this "sid". I suppose it is a (microsoft) session id that i need to invalidate in Kratos, but I can't figure out how.
This is what the request looks like:
As you can see, no cookie, just a query param called "sid".
I asked ChatGPT and it told me i should just send a DELETE request to http://{kratos-host}:4433/session/{sessionId}. That seems simple enough, but I get an error called "security_csrf_violation", which is not totally unexpected. I also believe this "sid" is a Microsoft session id, and not a Kratos one.
I have searched my Kratos sqlite database for the sid that I get back from MS at logout, but I can't find it anywhere.
We are using Go on the backend btw.