OpenID Connect Frontchannel Logout for WSO2 Identity Server

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenID Connect Frontchannel Logout for WSO2 Identity Server

Ashen De Silva
Hi all,

Currently, I am working on OpenID Connect Frontchannel Logout support for WSO2 Identity Server.

OpenID Connect specifies the following 3 logout mechanisms:
1. Session Management
2. Backchannel Logout
3. Frontchannel Logout

Currently, IS supports SLO with Session Management, and SLO with Backchannel Logout will be available with the next release.

Advantages of OIDC Frontchannel Logout
  • Frontchannel communication takes place through the User Agent and does not require extra backchannel communication links to be established between servers
  • Logout is done simply by clearing cookies and HTML5 local storage.

The OP-Initiated Global Logout flow using OIDC Frontchannel Logout is shown below.


Procedure:
If the RP supports OIDC Frontchannel Logout, it must register a frontchannel_logout_uri which must be accessible by the User Agent during Client Registration at the OP.

Frontchannel sequence.jpg
  1. Logout is initiated on RP1 by the User Agent, and hence the user is logged out of the RP and the User Agent is redirected to the logout page of the OP.
  2. The OP requests consent from the End-User to log out of the OP. If the user consents logout, the user session at the OP is cleared and the frontchannel_logout_uris of the RPs sharing the same user session
    are obtained, iframes are generated with each frontchannel_logout_uri for each RP and sent back to the User Agent to be rendered.
  3. The User Agent renders the iframes wherein each frontchannel_logout_uri is rendered. (i.e. logout is triggered in each logged-in RP)
  4. The Frontchannel Logout Endpoint of the RP receives a logout request which then clears the user's session, associated cookies and HTML5 local storage according to the sid claim included in the logout request.

--
Ashen De Silva
Intern - Software Engineering

WSO2, Inc.
Mob: +94 71 349 8442l


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: OpenID Connect Frontchannel Logout for WSO2 Identity Server

Johann Nallathamby
Hi Omindu,

What is the status of this implementation?

Regards,
Johann.

On Tue, Oct 30, 2018 at 9:54 AM Ashen De Silva <[hidden email]> wrote:
Hi all,

Currently, I am working on OpenID Connect Frontchannel Logout support for WSO2 Identity Server.

OpenID Connect specifies the following 3 logout mechanisms:
1. Session Management
2. Backchannel Logout
3. Frontchannel Logout

Currently, IS supports SLO with Session Management, and SLO with Backchannel Logout will be available with the next release.

Advantages of OIDC Frontchannel Logout
  • Frontchannel communication takes place through the User Agent and does not require extra backchannel communication links to be established between servers
  • Logout is done simply by clearing cookies and HTML5 local storage.

The OP-Initiated Global Logout flow using OIDC Frontchannel Logout is shown below.


Procedure:
If the RP supports OIDC Frontchannel Logout, it must register a frontchannel_logout_uri which must be accessible by the User Agent during Client Registration at the OP.

Frontchannel sequence.jpg
  1. Logout is initiated on RP1 by the User Agent, and hence the user is logged out of the RP and the User Agent is redirected to the logout page of the OP.
  2. The OP requests consent from the End-User to log out of the OP. If the user consents logout, the user session at the OP is cleared and the frontchannel_logout_uris of the RPs sharing the same user session
    are obtained, iframes are generated with each frontchannel_logout_uri for each RP and sent back to the User Agent to be rendered.
  3. The User Agent renders the iframes wherein each frontchannel_logout_uri is rendered. (i.e. logout is triggered in each logged-in RP)
  4. The Frontchannel Logout Endpoint of the RP receives a logout request which then clears the user's session, associated cookies and HTML5 local storage according to the sid claim included in the logout request.

--
Ashen De Silva
Intern - Software Engineering

WSO2, Inc.
Mob: +94 71 349 8442l



--
Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [hidden email]
Signature.jpg

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture