OIDC backchannel logout (Spring Security)
345 views
Skip to first unread message
Tobias Roland
Mar 12, 2019, 10:31:20 AM3/12/19
to Pac4j users mailing list
I've been implementing OIDC support recently in my Spring Boot app. The app is mainly an API for a SPA frontend, and holds some enriched user information. I'm struggling a bit with understanding how backchannel logout is supported, and how I enable it with Pac4j?
What I understand from the OIDC Spec for backchannel logout - https://openid.net/specs/openid-connect-backchannel-1_0.html - is that:
- I must provide an endpoint for logout in my backend application; I'm assuming this is the logout endpoint configured in the documentation here: https://github.com/pac4j/spring-security-pac4j/wiki/Logout-configuration ?
- The Identity Provider should send a request to the logout endpoint when the user is signed out from the Identity Provider (say, the log out, their account is terminated, removed from the IdP etc)
- When I receive a valid call (as per the OIDC spec) on this endpoint, I must destroy the user's session with my application.
I am unable to find documentation for this backchannel behaviour in the AWS Cognito docs (the OIDC identity provider I'm using), but I'm uncertain if I've understood everything correctly.
I would much appreciate a few pointers!
Thanks :)
Jérôme LELEU
Mar 12, 2019, 11:07:07 AM3/12/19
to Tobias Roland, Pac4j users mailing list
Hi,
Yes, it seems to be the correct behavior.
Then, in pac4j, you have two logouts:
- the logout endpoint is responsible for performing the logout locally and/or by sending the user to the IdP for logout
- the callback endpoint is responsible for receiving login callbacks but also logout requests (it works this way in CAS and SAML, but it's not currently supported for OIDC).
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tobias Roland
Mar 12, 2019, 11:31:36 AM3/12/19
to Pac4j users mailing list
Hi Jérôme, thanks for the quick reply, much appreciated.
If I wish to support this feature of OIDC, I shall have to custom code a new custom endpoint for the time being and find a way to sign out the user myself - Is there a component of Pac4J I should consider hooking into and reusing for this?
Is OIDC backchannel logout on the roadmap for a future release?
Kind Regards,
If I wish to support this feature of OIDC, I shall have to custom code a new custom endpoint for the time being and find a way to sign out the user myself - Is there a component of Pac4J I should consider hooking into and reusing for this?
Is OIDC backchannel logout on the roadmap for a future release?
Kind Regards,
Tobias Roland
Jérôme LELEU
Mar 12, 2019, 11:49:16 AM3/12/19
to Tobias Roland, Pac4j users mailing list
Hi,
You should take a look at the OidcExtractor whose job is to extract data in the login process. See: TicketAndLogoutRequestExtractor on CAS side
If it's a back channel call, you also need to rely on the LogoutHandler to track and delete the user session.
It's not on the roadmap.
Thanks.
Best regards,
Jérôme
Tobias Roland
Mar 12, 2019, 12:17:49 PM3/12/19
to Pac4j users mailing list
Thanks Jérôme, appreciate the help.
Reply all
Reply to author
Forward
0 new messages