Reputation: 613
Back-channel logout using OIDC
I'm currently working on Backchannel logout using openid. The flow , as I have understood goes like the following
1- User agent(browser in my case) triggers the logout using a link to the OP.
2- OP deletes the user sessions, and send the loogout token to the RP.
3- RP deletes all user sessions.
Can somebody please tell me how to get the link to OP from the browser to trigger the request in the first place. I am using angular 4 on the front end if that matters.
Upvotes: 1
Views: 2460
Answers (1)
Reputation: 8431
There is a chapter about Relying Party (RP) Initiated Logout in the OpenID Connect Session Management RFC. It says the logout endpoint URL could be obtained from the end_session_endpoint element of the OpenID Provider's (OP) Discovery response. It's a JSON document usually available at
GET ${OP_BASE_URL}/.well-known/openid-configuration
If the logout endpoint is not mentioned there, the OP might publish it somewhere else, but it's implementation specific.
The event flow is a bit different:
- RP log the user out first
- RP requests the OP to invalidate session of the user using the logout URL
- OP invalidates the session
Upvotes: 1
Related Questions
- How should handle users logout use case when multiple browser tabs are opened
- Angular using oAuth2-oidc: Check if user previously logged out
- identity server 4 + oidc-client-js logout redirect
- OIDC-client Cant log out. Error: no end session endpoint
- Redirect after oidc-client login
- Okta backchannel logout for OIDC
- Log out user when idle using IdentityServer4 + oidc-client-js in Angular
- OpenID Backchannel Logout contains no Logout Token
- Single Logout with OIDC
- Oidc-client with IdentityServer3 - Angular2, how to logout and login properly