Hands-on with OIDC Back-channel logout

When a user initiates a logout, the identity provider logs the user out of all applications in the current session. This process is called a single-logout.

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.

OpenID Connect logout specification specifies 3 types of single-logout mechanisms.

OIDC Logout mechanisms

Back-Channel Logout in a nutshell

Try out OIDC Back-channel logout with WSO2 Identity Server


Register Pickup-dispatch and Pickup-Manager in WSO2 Identity Server

2. Once you register the app, navigate to Inbound Authentication Configuration > OAuth/OpenID Configuration and click Configure.

3. Provides Call back URL for the application. Callback URLs of Pickup-dipatch and Pickup-Manager are given below.

Pickup-dispatch: http://localhost.com:8080/pickup-dispatch/oauth2client
Pickup-manager: http://localhost.com:8080/pickup-manager/oauth2client

4. Enable back-channel logout for the apps and Configure back-channel logout URL for Pickup-dipatch and Pickup-Manager.

Pickup-dispatch: http://localhost.com:8080/pickup-dispatch/bclogout
Pickup-manager: http://localhost.com:8080/pickup-manager/bclogout

5. Click Update.

Try out the scenario

Back-channel logout flow between Pickup-dispatch, Pickup-Manager and Identity Server

How it works

This section walks you through the steps of OIDC back-channel logout flow between Pickup-dispatch, Pickup-Manager, and identity provider.

As shown in the flow diagram, lets’ see

(Pickup-dispatch can either depend on the logout token to revoke application session or it can revoke the session when it initiates logout to Identity Server)

Let’s see each step in detail.

When Pickup-dispatch authenticates to Identity Server, it will obtain an ID token. If you decode the ID token (use tools like jwt.io), you can see a ‘sid’ claim.

Sample ID token of Pickup-dispatch:{
“at_hash”: “V1RT5xFCOVHLsa-DOMA0qw”,
“aud”: “5vikvoXCxutmGjytcDaakput6XUa”,
“c_hash”: “s_XLLHi1l0DRK4uZtHtzXQ”,
“sub”: “admin”,
“nbf”: 1613637033,
“azp”: “5vikvoXCxutmGjytcDaakput6XUa”,
“amr”: [
“iss”: “https://localhost:9443/oauth2/token",
“exp”: 1613640633,
“iat”: 1613637033,
“sid”: “32126bbc-9ae4–4e1b-9e32-f5af1ddb4fc7”

3. User SSO to Pickup-Manager and Pickup-Manager gets ID token.

When the user initiates a login request to Pickup-Manager, the user will be auto logged in since the User already logged in to Identity Server via Pickup-dispatch.

Pickup-Manager will obtain an ID token. That ID token should contain the same sid as Pickup-dispatch.

4. User invokes logout via Pickup-dispatch.

Pickup-dispatch calls Identity Server’s logout endpoint with idtoken_hint and post_logout_redirect_uri query params.

OIDC Logout endpoint : https://<HOST>:<PORT>/oidc/logoutSample URL : https://localhost:9443/oidc/logout

Identity Server will terminate the sessions and find all the applications logged in to the same session (Pickup-dispatch and Pickup-Manager) and send logout tokens by signing it.

5. Pickup-manager will receive a logout token to the back-channel logout endpoint.

Pickup-dispatch receives logout token to the registered back-channel logout endpoint, as a payload(logout_token. = “logout_token”)

“sub”: “admin”,
“aud”: “Fv7m40gUl7WT430oLUkOlCdr6X8a”,
“iss”: “https://localhost:9443/oauth2/token",
“event”: {
http://schemas.openid.net/event/backchannel-logout": {}
“exp”: 1556562242,
“iat”: 1556562122,
“jti”: “ec68f2b2–01ce-4d51–94b1–9d178eaa5f7d”,
“sid”: “32126bbc-9ae4–4e1b-9e32-f5af1ddb4fc7”

6. Pickup-Manager validates the logout token and revoke the application session

Pickup-manager will validate the logout token as mentioned in specs and find the application session mapped to the IdP session using the sid claim.

Pickup-manager will terminate the application session.

Software Engineer @WSO2, CSE Undergraduate @ University of Moratuwa, Former Software Engineering Intern @ WSO2