Guides

OpenID Connect Single Logout

Suggest Edits

OpenID Connect (OIDC) Single Logout

OpenID Connect Single Logout builds on the OpenID Connect authentication protocol to enable secure logout across web applications. When a user initiates the logout process, the identity provider communicates with all connected applications to terminate the user's active sessions.

The goal of logout is to invalidate the user's active session across all connected applications.

Front Channel Logout

Front-Channel Logout uses the user's browser or user agent to propagate logout requests to all relying parties.

  • The identity provider initiates logout by rendering a page that includes iframes or redirects to each RP's logout endpoint.
  • Each RP receives the logout request through the browser and terminates the session.

Limitations:

  • Relies on browser behavior and third-party cookies.
  • Less secure and less reliable in modern browser environments.

Back Channel Logout

Back-Channel Logout uses direct server-to-server communication between the identity provider and each relying party.

  • The OP sends a POST request to each RP's back-channel logout endpoint.
  • Each RP processes the request and terminates the session independently of the user's browser.

Limitations:

  • Requires server-side implementation to log out sessions.

RP-Initiated Logout

RP-Initiated Logout occurs when a logout request originates from a Relying Party rather than the identity provider.

  • The user initiates logout from an RP (for example, by clicking a Logout button).
  • The RP sends a logout request to the OP's end session endpoint.
  • The logout request can contain an id_token_hint which indicates to the OP, the user session to terminate.
  • The user is prompted to confirm logout the OP session as well.

OIDC Single Logout Flow Example

  • A user logs out from Application A.
  • The identity provider receives the logout request.
  • The OP initiates logout propagation:
    • Via front-channel: loads iframes or redirects to other RPs.
    • Via back-channel: sends POST requests to other RPs.
  • Each RP terminates the user's session.
  • The user is fully logged out from all applications and the OP.

Updated about 1 month ago