OpenId Connect Back channel logout
OpenId Connect (OIDC) is a standard protocol to standardize and provide strong safe guard for Authentication and Authorization. It’s widely used standard protocol implemented by solution providers such as Google, Microsoft, Facebook, Auth0, AWS Cognito, etc.
In order to facilitate logout, OIDC standard has defined front-channel and back-channel logout. However, this session is scoped to back-channel logout. Back-channel logout is applicable for single sign-on applications where a user shares a single or multiple session(s) across multiple relying parties. The goal of the back-channel logout is to notify relying parties about session termination of a user which could affect them.
Buzz words
- OP - OpenId provider
- RP - Relying party
What is OIDC Back-channel logout
Simply it’s a logout request initiated by OP to its RPs to clear out active sessions of a user whose session was cleared out in OP end. A session of a user could be cleared out from OP due to various factors such as user initiated sign-out from a particular RP, Session timeout, force session clearance, etc.
Lets discuss of this approach in detail
- A user signed-in to a RP through OP. OP initiates a session in OP server and attaches the session identification (sid- session id) to the id token. In addition to the OP session, the OP tracks other RPs that the user signed-in through visited site cookie. Visited site cookie records user visited RPs in which the back-channel logout should trigger.
- Each RP that support session-management, will refer sid to track the user.
- In order to notify back-channel logout OP records back-channel logout URL of each RP. This endpoint is hosted by each RP and it accepts a special token called logout-token in application/x-www-form-urlencoded format.
- Logout token is a JWT token which contains claims sid(session id) and/or sub (subject identifier. This could be user email/id). Logout token has to provide at least one of the mentioned claims but it’s also acceptable to contain both. The logout token contains a special claim called “events” and this claim indicates the JWT token is a logout token. Following is a sample of a logout token
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"iat": 1471566154,
"jti": "bWJq",
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
"events": {
"http://schemas.openid.net/event/backchannel-logout": {}
}
}- Up on receiving back-channel logout request with a logout token, RP validates the token by validating signature, issuer, audience, expiration date, etc.
- If token validation is succeeded, RP can decode the JWT token to extract sid and sub claims. The logic to clear RP session depend on the session management technique used by RP.
Summary
Back-channel logout is a simple approach to notify RPs about user session termination. Moreover, the logout token plays a key role to authenticate the back-channel logout request and used to identify the user whose session was terminated.
References