Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-16262

RFE for Identity Management (OpenIDM): OIDC Front and Back Channel Logout

    XMLWordPrintable

    Details

    • Support Ticket IDs:
    • Zendesk ID:
      #57937

      Description

      Description

      Using IDM and the standalone end-user-ui as the relying party, the customer would like in IDM v7 to provide OIDC Front-Channel and Back-Channel logout as described below:

      IDM v7 OIDC Front-Channel Logout 

      The OpenID Connect Front-Channel Logout Specification describes a mechanism whereby front-channel communication via an End-User’s user agent is used to trigger a logout of the user at the Relying Party.

      Relying Parties supporting this specification register a logout URI with the OpenID Provider as part of the client registration. The OpenID Provider will then keep track of all End-User sessions for such Relying Parties. When the End-User initiates a logout (either directly with the OpenID Provider or indirectly via by the Relying Party) the OpenID Provider will cause a page to be loaded in the End-User’s user agent that renders the affected logout URIs thus triggering a logout at each of the Relying Parties.

      IDM v7 OIDC Back-Channel Logout

      Back-Channel Logout

      The OpenID Connect Back-Channel Logout Specification describes an alternative logout mechanism whereby the logout notification is sent directly from the OpenID Provider to the Relying Party server component.

      Relying Parties supporting this specification register a back-channel logout URI with the OpenID Provider as part of the client registration. The OpenID Provider will then keep track of all End-User sessions for such Relying Parties. When the End-User initiates a logout (either directly with the OpenID Provider or indirectly via by the Relying Party) the OpenID Provider will POST a logout JWT to each affected Relying Party. The logout JWT is similar to an ID Token in that it contains the End-User’s subject identifier and is signed with the Relying Party’s public key. On receipt of the logout JWT the Relying Party destroys the End-Users local session.

       

      Business Value

      To provide Front-Channel communication and Back-Channel communication (which rely upon the OP pushing the logout request to the RP).

       

        Attachments

          Activity

            People

            Assignee:
            tal.herman Tal Herman
            Reporter:
            simon.wickham Simon Wickham
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: