Hands-on with OIDC Back-channel logout
When a user initiates a logout, the identity provider logs the user out of all applications in the current session. This process is called a single-logout.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.
OpenID Connect logout specification specifies 3 types of single-logout mechanisms.
OIDC Logout mechanisms
Back-Channel Logout in a nutshell
- It basically uses server-to-communication not using the browser (Back-Channel mechanism). So it can be used by native applications, which have no active browser
- In Back-channel logout mechanism, Identity Provider (IdP) sends a logout token in the logout request. This is a signal from Identity Provider to Relying Party to perform a logout.
- You can refer to my previous blog to understand OIDC back-channel logout in depth.
Try out OIDC Back-channel logout with WSO2 Identity Server
Prerequisites
- Install JDK8
- Download apache tomcat 8
- Add `localhost.com` in the `etc/host` file.
- Download and run WSO2 Identity Server
- Download Pickup-dispatch and Pickup-manager samples and deploy them in tomcat.
- Create a user (eg:
Tom)via Management Console
Register Pickup-dispatch and Pickup-Manager in WSO2 Identity Server
- Login to the management console of WSO2 Identity server as `admin:admin`.
- In the management console, Navigate to Main > Service Providers > Add.
2. Once you register the app, navigate to Inbound Authentication Configuration > OAuth/OpenID Configuration and click Configure.
3. Provides Call back URL for the application. Callback URLs of Pickup-dipatch and Pickup-Manager are given below.
Pickup-dispatch: http://localhost.com:8080/pickup-dispatch/oauth2client
Pickup-manager: http://localhost.com:8080/pickup-manager/oauth2client4. Enable back-channel logout for the apps and Configure back-channel logout URL for Pickup-dipatch and Pickup-Manager.
Pickup-dispatch: http://localhost.com:8080/pickup-dispatch/bclogout
Pickup-manager: http://localhost.com:8080/pickup-manager/bclogout5. Click Update.
Try out the scenario
- Login to Pickup-dispatch.
- WSO2 Identity Server will prompt with login page if you haven’t logged in.
- Enter the credentials of the user and login to Pickup-dispatch.
- Login to Pickup-manager.
- You will be auto-logged into Pickup-manager.
- Now tries to log out Pickup-dispatch.
- Pickup Manager will be auto-logged out
How it works
This section walks you through the steps of OIDC back-channel logout flow between Pickup-dispatch, Pickup-Manager, and identity provider.
As shown in the flow diagram, lets’ see
- Pickup-dispatch and Pickup-Manager registered with OIDC Back-Channel logout.
- User authenticates via Pickup-dispatch and Pickup-dispatch obtains ID token.
- User SSO to Pickup-Manager and Pickup-Manager gets ID token.
- The user initiates logout from Pickup-dispatch.
- Pickup-dispatch and Pickup-Manager receive logout token.
- Pickup-Manager validates the logout token and revokes the application session
(Pickup-dispatch can either depend on the logout token to revoke application session or it can revoke the session when it initiates logout to Identity Server)
Let’s see each step in detail.
- Pickup-dispatch and Pickup-Manager registered with OIDC Back-Chanel logout. (You can refer ‘Try out the scenario’ section to know how to register)
- User authenticates via Pickup-dispatch and Pickup-dispatch obtains ID token.
When Pickup-dispatch authenticates to Identity Server, it will obtain an ID token. If you decode the ID token (use tools like jwt.io), you can see a ‘sid’ claim.
Sample ID token of Pickup-dispatch:{
“at_hash”: “V1RT5xFCOVHLsa-DOMA0qw”,
“aud”: “5vikvoXCxutmGjytcDaakput6XUa”,
“c_hash”: “s_XLLHi1l0DRK4uZtHtzXQ”,
“sub”: “admin”,
“nbf”: 1613637033,
“azp”: “5vikvoXCxutmGjytcDaakput6XUa”,
“amr”: [
“BasicAuthenticator”
],
“iss”: “https://localhost:9443/oauth2/token",
“exp”: 1613640633,
“iat”: 1613637033,
“sid”: “32126bbc-9ae4–4e1b-9e32-f5af1ddb4fc7”
}
3. User SSO to Pickup-Manager and Pickup-Manager gets ID token.
When the user initiates a login request to Pickup-Manager, the user will be auto logged in since the User already logged in to Identity Server via Pickup-dispatch.
Pickup-Manager will obtain an ID token. That ID token should contain the same sid as Pickup-dispatch.
4. User invokes logout via Pickup-dispatch.
Pickup-dispatch calls Identity Server’s logout endpoint with idtoken_hint and post_logout_redirect_uri query params.
OIDC Logout endpoint : https://<HOST>:<PORT>/oidc/logoutSample URL : https://localhost:9443/oidc/logout
Identity Server will terminate the sessions and find all the applications logged in to the same session (Pickup-dispatch and Pickup-Manager) and send logout tokens by signing it.
5. Pickup-manager will receive a logout token to the back-channel logout endpoint.
Pickup-dispatch receives logout token to the registered back-channel logout endpoint, as a payload(logout_token. = “logout_token”)
{
“sub”: “admin”,
“aud”: “Fv7m40gUl7WT430oLUkOlCdr6X8a”,
“iss”: “https://localhost:9443/oauth2/token",
“event”: {
“http://schemas.openid.net/event/backchannel-logout": {}
},
“exp”: 1556562242,
“iat”: 1556562122,
“jti”: “ec68f2b2–01ce-4d51–94b1–9d178eaa5f7d”,
“sid”: “32126bbc-9ae4–4e1b-9e32-f5af1ddb4fc7”
}6. Pickup-Manager validates the logout token and revoke the application session
Pickup-manager will validate the logout token as mentioned in specs and find the application session mapped to the IdP session using the sid claim.
Pickup-manager will terminate the application session.
