OpenID Connect Logout URL Redirection¶
WSO2 Identity Server allows you to construct a logout URL so that an application can redirect to a particular logout page when the relying party (RP) sends an OpenID Connect (OIDC) logout request.
Follow the steps below to send an OIDC logout request:
Tip
An OIDC logout request is generally a GET request (i.e., you construct a URL with the necessary parameters and perform a redirection).
However, there can be instances where you cannot use a GET request as
the OIDC logout request. For example, when the generated
id_token
exceeds the maximum character limit of the
URL, and the browser truncates the URL. In such instances, you can send
the logout request as a POST request using an automatically submitting
HTML form.
To understand how you can send an OIDC logout request as a POST request, see Sending a POST request as the OIDC logout request.
-
Download and install WSO2 Identity Server. For detailed information on how to install WSO2 IS, see Installing the Product.
-
Access the Management Console via
https://localhost:9443/carbon/
. -
Navigate to Service Providers > List and Edit the service provider that you created for the OAuth2 application.
-
Edit the Callback URL field and enter a logout URL along with the callback URL that you defined when you created the service provider.
regexp=(callback_url|logout_url)
You can specify multiple callback URLs using a regex pattern as follows:
Example
regexp=(http://localhost:8080/playground2/oauth2client|http://localhost:8080/playground2/logout)
-
If the
SignJWTWithSPKey
property is set totrue
in the<IS_HOME>/repository/conf/identity/identity.xml
file, JWT is signed with the application tenant key. If the property is set tofalse
, the tenant is decided by the subject of the id token, although the subject would not contain the tenant domain by default. Therefore, you need to enable, Use tenant domain in local subject identifier in Service Provider configuration. -
Use the following cURL command to retrieve the
id_token
using the client id, client secret, and authorization code:curl -k -v --user <client_id>:<client_secret> -d "grant_type=authorization_code&code=<authorization_code>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token
Example
curl -k -v --user IaWVc3g4eemSnbWwekBg79xudZMa:PL9PxKPqGZxkpJ8X8u7g8pA_ruoa -d "grant_type=authorization_code&code=ac1b2e9e-d8d0-3f42-bdd4-dc7aab45b5dc&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token
-
Use the retrieved
id_token
in the following URL to logout from the identity provider and redirect to a URL in the RP.https://localhost:9443/oidc/logout?id_token_hint=<id_token>&post_logout_redirect_uri=<redirect URI>&state=<state>
Following are the parameters you need to specify in the URL:
Parameter Description Required idp_url
The OIDC logout endpoint URL. Yes id_token_hint
The id_token
returned by the identity provider.Yes post_logout_redirect_uri
The URL to be redirected to when logging out. The value defined here should be the same as the
callbackURI
of the client application.Note
If you do not specify a value for the
post_logout_redirect_uri
parameter, users are redirected to the default logout success page of WSO2 Identity Server.Yes state
The parameter passed from the application to the identity provider to maintain any state information. This is used to correlate the logout requests and responses. If the state parameter is defined as state_1
, the logout request and response both havestate_1
in them. This makes it easy for the client to identify the request and responses.No Example
https://localhost:9443/oidc/logout?id_token_hint=eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiWVZwM3JsX21vOThvVURveUMyNVJQZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIklhV1ZjM2c0ZWVtU25iV3dla0JnNzl4dWRaTWEiXSwiYXpwIjoiSWFXVmMzZzRlZW1TbmJXd2VrQmc3OXh1ZFpNYSIsImF1dGhfdGltZSI6MTUwNDU5NDUyNCwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTA0NTk4MTUxLCJpYXQiOjE1MDQ1OTQ1NTF9.KfLa7_QkhJ3yZ1gfv6ZVh6bNkeQB1wUVp914Ek4MVnS-kXkJvBBqe6wqamp3RezNgRxsW59M-GKJUymJjalBGHPu3IglyssiubWOlXlAtkAL13n3B1tpWYwbkgkarI5elmxTwRU4yqsCRbu4T77sWmiIhTtnPEEyBMkhuQioU68&post_logout_redirect_uri=http://localhost:8080/playground2/logout&state=state_1
Sending a POST request as the OIDC logout request¶
Let's take a look at a sample scenario to understand how to send an OIDC logout request as a POST request.
Consider a scenario where a service provider builds an HTML page with the required parameters to render a page in a browser. This scenario requires an OIDC logout request sent as a POST request to the logout endpoint.
Following is a sample HTML form with the parameters you need to specify when you send an OIDC logout request as a POST request:
<html>
<body>
<p>OIDC_LOGOUT_POST</p>
<form method='post' action='$idp_url'>
<input type='hidden' name='id_token_hint' value='$id_token'/>
<input type='hidden' name='post_logout_redirect_uri' value='$callback'/>
<input type='hidden' name='state' value='$state'/>
<button type='submit'>POST</button>
</form>
<script type='text/javascript'>
document.forms[0].submit();
</script>
</body>
</html>
For descriptions of all the parameters that you need to specify in the POST request, see the parameter descriptions given above. The following code block shows a sample HTML form with sample parameter values to render the page in a browser:
<html>
<body>
<p>OIDC_LOGOUT_POST</p>
<form method='post' action='https://localhost:9443/oidc/logout'>
<p>
<input type='hidden' name='id_token_hint' value='eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJuNUFndEFqRmhUZXVybjE4MzhqaTMwbWhUbUFhIl0sImF6cCI6Im41QWd0QWpGaFRldXJuMTgzOGppMzBtaFRtQWEiLCJhdXRoX3RpbWUiOjE1MjIwNTI4NDYsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTUyMjA1NjQ0Nywibm9uY2UiOiIxMjMzNDIzNCIsImlhdCI6MTUyMjA1Mjg0N30.g2oSoC_D88XBjN81Lgx0DmOFELO_lXVXTu2YwbZOQGiCJyJLCjwW_Q0UJimBG-ZZIJo5sPj5yrHi5wB9r-Dkr_9QOsgQc7YpiZ0hGw3x53tttxaA655kHuZCsFSJDY7nIsfH-d9Yhi-p4arfdwrrMpcvkwVoLwca1M3-1j9v3LU'/>
<input type='hidden' name='post_logout_redirect_uri' value='https://localhost/callback'/>
<input type='hidden' name='state' value='zzdfdsfdfdfd'/>
<button type='submit'>POST</button>
</p>
</form>
<script type='text/javascript'>
document.forms[0].submit();
</script>
</body>
</html>
Top