Is there any plan to support Back-Channel Logout and Front-Channel Logout

[Scarange]

Expected Behavior
It would be nice to support Back-Channel Logout or Front Channel Logout, where we can notify the RP logout the EU, which is very helpful for some scenarios like SLO.

Current Behavior
Not yet support.

Context
As part of the OP logging out the End-User, the OP uses the logout mechanism(s) registered by the RPs to notify any RPs logged in as that End-User that they are to likewise log out the End-User. RPs can use any of OpenID Connect Session Management 1.0 [OpenID.Session], OpenID Connect Front-Channel Logout 1.0 [OpenID.FrontChannel], and/or OpenID Connect Back-Channel Logout 1.0 [OpenID.BackChannel] to receive logout notifications from the OP, depending upon which of these mechanisms the OP and RPs mutually support.

[ValonRexhepi]

Hello,

If I'm not mistaken, it is already implemented as discussed here.

But you need to use the 1.1 version of the Authorization Server, you can find the documentation here.

I've created the basic version of the Server as explained in the documentation and used it as an Identity Provider with Keycloak, the logout initiated by Keycloak seems to work, and the user is correctly redirected to the defined postLogoutUri.

Hope this helps.

[Scarange]

@ValonRexhepi There are difference between RP-Initiated Logout and this question.

According to the definition of post_logout_redirect_uri in the RP-Initiated Logout specification, it is used to redirect to a page specified by the RP after the user exits the OP.
URI to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed.

Of course we can access the spring-security exit address on the jump based on this logic, but when the same user is authorized in multiple RPs, the matter becomes subtle.

Based on the RP-Initiated Logout feature, when a user initiates an exit operation through an RP, he can only log out of the current RP, and other RPs are not aware that the user has logged out without notification from the OP.

The OpenID specification defines three policies to allow RPs to be aware of such session change operations, such as OpenID Connect Session Management, OpenID Connect Front-Channel Logout and OpenID Connect Back-Channel Logout. Which strategy to adopt depends on the support of OP and RP.

According to the OpenID Connect Back-Channel Logout specification, if OP support Back-Channel Logout the OpenID Connect Discovery endpoint should should contains backchannel_logout_supported which is boolean value specifying whether the OP supports back-channel logout. It can also contain backchannel_logout_session_supported which is boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP.

If RP support Back-Channel Logout, then a backchannel_logout_uri should be registered with the OP to receive notification of session changes.

These specifications can be practical individually or used together to solve problems in different scenarios, and currently AS only supports RP-Initiated Logout.

[sjohnr]

@Scarange, thanks for reaching out! However, as it currently stands your issue is phrased as a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

Having said that, please see gh-58 which will address OpenID Connect Session Management 1.0. The above comment could be used as the basis for adding an issue to support either OpenID Connect Front-Channel Logout or OpenID Connect Back-Channel Logout, so feel free to submit a specific issue for one/both of those.

[Scarange]

@sjohnr thanks for response! i have submit two issue for OpenID Connect Front-Channel Logout and OpenID Connect Back-Channel Logout.

[sjohnr]

I see gh-1200 and gh-1201, thanks.