Session management/revocation with OAuth2 and OpenID Connect

Question

Assuming I have a scenario where a user logs in to a client application via an identity provider using the OAuth2/OpenID Connect flow, how do I manage the user deciding to revoke the client's access to their profile? That is, how do I make sure the client application automatically terminates the local session?

Is there a recommended way to implement session management at the client application level when signing in using an external provider as explained above?

TL;DR: How do I implement single-sign-out using the OAuth2/OpenID Connect flow?

Answer 1

You can check the OpenID Session management draft:

This specification complements the OpenID Connect Core 1.0 [OpenID.Core] specification by defining how to monitor the End-User's login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.

There is also a bit of documentation on the subject on the internet:

• https://medium.com/@technospace/managing-sessions-with-openid-connect-d3b6fb4f552b
• https://oa.dnc.global/web/-OpenID-Connect-SSO-management-de-session-etc-.html#draftmanagementdesessionopenidconnect
• https://connect2id.com/products/server/docs/api/check-session

You can also check how django-oidc-provider manage this: https://django-oidc-provider.readthedocs.io/en/latest/sections/sessionmanagement.html