Implement back-channel logout¶
Back-channel logout allows users to be logged out from a client application through direct communication of logout requests between the client application and the authorization server.
How it works¶
The underlying message flow of OpenID Connect (OIDC) back-channel logout is as follows:
- A user logout is initiated by either the client application or the authorization server.
- The authorization server identifies all client applications associated with the user's session.
- The authorization server generates a logout token, a special JWT containing specific claims, and sends it with a logout request to the logout endpoints of the identified client applications.
- Upon receiving the logout token, each client application validates it and then invalidates the corresponding user session.
Prerequisites¶
To get started, you need to:
-
Register two OIDC application with WSO2 Identity Server. Application names used in this guide are
Playground_app1
andPlayground_app2
-
Download two instances of the playground application as this guide uses the playground sample app. Rename the second file as
playground3.war
. -
Configure the sample applications;
- Copy the downloaded playground.war file into
<TOMCAT_HOME>/apache-tomcat-<version>/webapps
folder. - Start the Tomcat server.
- If required, update the
<param-value>
parameters for theserverUrl
,username
andpassword
in theWEB-INF/web.xml
file. - Restart the Tomcat server, if you have done any changes to the
WEB-INF/web.xml
file.
- Copy the downloaded playground.war file into
Configure back-channel logout¶
-
To configure back-channel logout for
Playground_app1
:- On the WSO2 Identity Server Console, go to Applications and select your OIDC application.
-
Go to the Protocol tab and enter the following details:
Field Name Value Grant type Implicit Back channel logout URL http://localhost:8080/playground3/bclogout -
Click Update to save your configurations.
-
To configure back-channel logout for
Playground_app2
:- On the WSO2 Identity Server Console, go to Applications and select your OIDC application.
-
Go to the Protocol tab and enter the following details:
Field Name Value Grant type Implicit Back channel logout URL http://localhost:8080/playground2/bclogout -
Click Update to save your configurations.
Try it out¶
-
Access the Playgrpund_app1 application using the following URL: http://localhost:8080/playground2/.
-
Click Import Photos.
-
Enter the following details:
Field name Value Authorization Grant Type Implicit
Client ID The OAuth Client ID received when registering the Playground_app1 in WSO2 Identity Server. Callback URL http://localhost:8080/playground2/oauth2client
Authorize Endpoint https://localhost:9443/oauth2/authorize
-
Click Authorize. You will be redirected to the WSO2 Identity Server login page.
-
Enter the credentials of your user account and click Sign In. You will now receive an ID Token.
-
Access the Playground_app2 application using the follwoing URL: http://localhost:8080/playground3/
-
Repeat steps 2-5 for Playground_app2 application with the following values:
Field name Value Authorization Grant Type Implicit
Client ID The OAuth Client ID received when registering the Playground_app2 in WSO2 Identity Server. Callback URL http://localhost:8080/playground3/oauth2client
Authorize Endpoint https://localhost:9443/oauth2/authorize
-
Click Logout on one of the applications. You will be prompted to consent to the logout.
-
Provide consent. You will receive confirmation of sucessful logout.
-
Now, go to the other application and reload the page. Note that you are redirected to the login page of the playground application and you will see that the Logged in user has changed to
null
.
You have successfully configured and tried out OIDC back-channel logout. You can check out the Tomcat logs on the terminal window to see the back-channel logout flow.