

OpenID Connect Logout URL Redirection¶

WSO2 Identity Server allows you to construct a logout URL so that an application can redirect to a particular logout page when the relying party (RP) sends an OpenID Connect (OIDC) logout request.

An OIDC logout request is generally a GET request (i.e., you construct a URL with the necessary parameters and perform a redirection).

However, there can be instances where you cannot use a GET request as the OIDC logout request. For example, when the generated id_token exceeds the maximum character limit of the URL, and the browser truncates the URL. In such instances, you can send the logout request as a POST request using an automatically submitting HTML form.

Register a service provider¶

To register your application as a service provider in the WSO2 Identity Server:

Log in to the WSO2 Identity Server Management Console using administrator credentials.
Go to Main > Identity > Service Providers > Add.
Enter a Service Provider Name. Optionally, enter a Description.
Click Register.

Configure the service provider¶

Make the following changes to the created service provider.

Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration.
Enter the Callback Url.

Tip

For more information on Callback Url and other advanced configurations, see Advanced OpenID Connect Configurations.
Enter a logout URL along with the callback URL.
```
regexp=(callback_url|logout_url)
```
You can specify multiple callback URLs using a regex pattern as shown below.

Sample
```
regexp=(http://localhost:8080/playground2/oauth2client|http://localhost:8080/playground2/logout)
```
Click Add to save the changes.

Configure to sign the ID token¶

Open the deployment.toml file found in the <IS_HOME>/repository/conf folder.
Add the following configuration.
```
[authentication]
sign_auth_response_with_tenant_of= "sp" #user
```
Note
- If the aforementioned configuration is set to sp, the JWT is signed with the application tenant key.
- If it is set to user, the tenant is decided by the subject of the id token, though the subject would not contain the tenant domain by default. If the configured option is user, expand Local & Outbound Authentication Configuration on the management console service provider configuration and select Use tenant domain in local subject identifier.
Restart the server.

Send a GET logout request¶

Use the following cURL command to retrieve the id_token using the client ID, client secret, and authorization code.

Request Format

curl -k -v --user <client_id>:<client_secret> -d "grant_type=authorization_code&code=<authorization_code>&redirect_uri=<redirect_uri>" https://<IS_HOST>:<IS_PORT>/oauth2/token

Sample Request

curl -k -v --user IaWVc3g4eemSnbWwekBg79xudZMa:PL9PxKPqGZxkpJ8X8u7g8pA_ruoa -d "grant_type=authorization_code&code=ac1b2e9e-d8d0-3f42-bdd4-dc7aab45b5dc&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token

Use the retrieved id_token in the following URL to logout from the identity provider and redirect to a URL in the relying party (RP).

Format

https://localhost:9443/oidc/logout?id_token_hint=<id_token>&post_logout_redirect_uri=<redirect URI>&state=<state>

Sample

https://localhost:9443/oidc/logout?id_token_hint=eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBelpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05tTkRjeE5HWXdZbU00WlRBM01XSTJOREF6WkdRek5HTTBaR1JsTmpKa09ERmtaRFJpT1RGa01XRmhNelUyWkdWbE5nX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoid3l2dExOU3VMbUpubV9FYVhWM183QSIsImF1ZCI6IllteEQwakRPSWZpQmtEOFRQTFlPZnhOU0lnNGEiLCJzdWIiOiJhZG1pbiIsInVwbiI6ImFkbWluIiwibmJmIjoxNTg3NTQyNDE5LCJhenAiOiJZbXhEMGpET0lmaUJrRDhUUExZT2Z4TlNJZzRhIiwiYW1yIjpbInBhc3N3b3JkIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImdyb3VwcyI6WyJBcHBsaWNhdGlvblwvVXNlciBQb3J0YWwiLCJBcHBsaWNhdGlvblwvcGlja3VwLWRpc3BhdGNoIiwiSW50ZXJuYWxcL2V2ZXJ5b25lIiwiQXBwbGljYXRpb25cL3BpY2t1cC1tYW5hZ2VyIiwiYWRtaW4iLCJBcHBsaWNhdGlvblwvbXAtand0Il0sImV4cCI6MTU4NzU0NjAxOSwiaWF0IjoxNTg3NTQyNDE5fQ.Ibguye1XxPbRgdmpMCAbHn3aNl00NWWpMubg8dKuYrO-7rP7Uh76_5LQqWdzp1dsBuPSqKATnGn95vZ4uz3yn1aB-TlsBqD6gCRc2GWO5Qk-jYfgCRZHLOrFn82f5Eaoc5p99b4lYIat6DAogS2xj3NYu_rbeo1jHDfI-CzY35X9u_w15uSLpwIxa6DPrU-0WhgSTBk_n9UGJKXdYYQipiXheVQZGAGU86IpHfMyOgd6KQrq2HTBsnFjPUSTBE0ifq2ZBGPfYKA9ESCJX2lC6h4wveqEQRkPWEsry4uYECNPyJXqbE2Kt3sLXo537W2rZpkNHL4_mWMGWv_EIdp0BQ&post_logout_redirect_uri=http://localhost:8080/playground2/logout&state=state_1

For a description of the parameters included in the URL, see logout request parameters.

Send a POST logout request¶

Sending an OIDC logout request as a POST request is useful in certain scenarios. For example, consider a service provider that builds an HTML page with the required parameters to render a page in a browser. This scenario requires an OIDC logout request sent as a POST request to the logout endpoint.

The following sample HTML form shows the parameters you need to specify when sending an OIDC logout request as a POST request.

Format

<html>
    <body>
            <p>OIDC_LOGOUT_POST</p>
            <form method='post' action='$idp_url'>
                    <input type='hidden' name='id_token_hint' value='$id_token'/>
                    <input type='hidden' name='post_logout_redirect_uri' value='$callback'/>
                    <input type='hidden' name='state' value='$state'/>
                <button type='submit'>POST</button>
            </form>
            <script type='text/javascript'>
                document.forms[0].submit();
            </script>
        </body>
</html>

Sample

<html>
    <body>
            <p>OIDC_LOGOUT_POST</p>
            <form method='post' action='https://localhost:9443/oidc/logout'>
                <p>
                    <input type='hidden' name='id_token_hint' value='eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJuNUFndEFqRmhUZXVybjE4MzhqaTMwbWhUbUFhIl0sImF6cCI6Im41QWd0QWpGaFRldXJuMTgzOGppMzBtaFRtQWEiLCJhdXRoX3RpbWUiOjE1MjIwNTI4NDYsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTUyMjA1NjQ0Nywibm9uY2UiOiIxMjMzNDIzNCIsImlhdCI6MTUyMjA1Mjg0N30.g2oSoC_D88XBjN81Lgx0DmOFELO_lXVXTu2YwbZOQGiCJyJLCjwW_Q0UJimBG-ZZIJo5sPj5yrHi5wB9r-Dkr_9QOsgQc7YpiZ0hGw3x53tttxaA655kHuZCsFSJDY7nIsfH-d9Yhi-p4arfdwrrMpcvkwVoLwca1M3-1j9v3LU'/>
                    <input type='hidden' name='post_logout_redirect_uri' value='https://localhost/callback'/>
                    <input type='hidden' name='state' value='zzdfdsfdfdfd'/>
                    <button type='submit'>POST</button>
                </p>
            </form>
            <script type='text/javascript'>
                document.forms[0].submit();
            </script>
        </body>
</html>

For a description of the parameters included in the HTML form, see logout request parameters.

Sending logout request with encrypted id_token_hint¶

If the application uses encrypted ID tokens, application needs to send the encrypted ID token as the id_token_hint parameter value.

Since the application's private key is not available in the Identity Server, the application must send the ID token by encrypting it using the public key of the Identity Server after decrypting the obtained ID token using its private key.

For more information, see Encrypting ID tokens.

https://localhost:9443/oidc/logout?id_token_hint=eyJraWQiOiJNamxqT0dWa09UQTBZVE5oWkRCbE9Ea3habUV6WlRNNE5EYzVaakJsTmpRNVptVmpNell3WkRrMk5HWmtNVGcxTnpjM1lXRmlOamN3TWpGaE9UUmtZdyIsImN0eSI6IkpXVCIsImVuYyI6IkExMjhHQ00iLCJhbGciOiJSU0EtT0FFUCJ9.c1Avz5QLNP36V1rDTPFfwRz2B0NEJkUUQPPTb3ZrjYpCoDqFz8BGj2dft0ERMtEm3mkHfFpwCL18bEU4TQ8-z-8iRjk1QbeSZ0H91gFn15adpe52N2yjpt7aqsXqqiVW158d7-eFesYUWSVwhQEJNkvN03MvYzgkDY2fe-sRdhaNBfgGYh1NSXzhC_HEzFpD4lyTcvt-jgtG7SldLjBwe6NPF8w_bnjPSYtIYVJl9f-PbgqSsmVjp_0cNh-xDXwBOOHGeakFcgThBR09-Zf9w2ScuPdURYo2quRq29dLiLgLLQ7kpzZrY0RKTevS41_CTTCyZa8qCy0MinU1Y9Mwxg.P_6JJrBI93sPuheb.VcurLlExdNhp18I5K8xcLLdgBT71mFrAuwXB8kalhoopKAyTsz6FS-ZB5wxeT1U0loDqNTGLYp6dgBYoIty-JlICHKxxk45x6hJ5fIEgJQQUEO-cCGrTqAYGy0R8_SyyLYo4zFuREsX1TTFyDNgyqmy9perjCNcJT_2I_FoBsQdisGdAW6NcubVrLerYXFgOO_7AviThr3V6OXxiDiaBIhI8wJ81uw53G5Yql5WncYnjV4PHppf57nGTjjHNK_BiYCZ1uirBr78JULczsKi2bJo1j2XpGJMKkxLlS5IKUBtCUfimhTDjEFi7r5s1_FR5NTGdM-E2XwcC6tpLjFRF5J-GsaHNQYdLW2ipPFbqqYXXnKTi2-mZtKAoj3Q_7OFHu6CdabUK_jFp_d38o7aLkRAeSnI4RyyDw9CAAAb5CDrWSyB3Ba1Ab_w4oEv2f5csfC49rSRyRCXxdQ-Ky166y_kAyJ7UfAUsz-tKADtIcITXB6QlT1Xcdv3vNt49ZVv7elm-Onpw2KoiFAitA4FPqFERxTyxDIWF6LNQjDbeno_kWaWgeMEFwlDL7fja5oIoHn1tISF2G_S1y1pouEJld-bkX5nrh4cQMG6bHLsRfgkN1nbOPxgfDF13zq33dhMY.8xj0exlMO0tL9NDKibFbsQ
&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground&tenant_domain=carbon.super

Logout request parameters¶

Parameter	Description	Required
`idp_url`	The OIDC logout endpoint URL.	Yes
`client_id`	The client ID obtained when registering the application in WSO2 Identity Server. Note To use the `client_id` as a logout parameter, add the following configurations to the `<IS_HOME>/repository/conf/deployment.toml` file. `[oauth.oidc.logout_params] use_client_id=true`	Yes (if the `id_token_hint` is not included)
`id_token_hint`	The `id_token` returned by the identity provider.	Yes (if the `client_id` is not included)
`post_logout_redirect_uri`	The URL to be redirected to when logging out. The value defined here should be the same as the `callbackURI` of the client application. Note If you do not specify a value for the `post_logout_redirect_uri` parameter, users are redirected to the default logout success page of WSO2 Identity Server.	Yes
`state`	The parameter passed from the application to the identity provider to maintain any state information. This is used to correlate the logout requests and responses. If the state parameter is defined as `state_1` , the logout request and response both have `state_1` in them. This makes it easy for the client to identify the request and responses.	No
`tenant_domain`	When an application sends an encrypted id_token_hint (encrypted from the WSO2 IS public certificate) in the logout flow, it should send tenant domain also as a query param.	No