Table of Contents
This article describes Authlete’s support for the OpenID Connect Back-Channel Logout 1.0 specification.
The server generates a Logout Token and sends an HTTP POST request containing it to the client’s Back-Channel Logout URI. Upon receiving the Logout Token, the client performs logout processing.
A Logout Token is a JWT. The value of its typ header parameter is defined as
logout+jwt. Its payload contains either the sub claim, the sid claim, or
both, and these claims identify the logout target.
Authlete provides an API for generating Logout Tokens.
The API path is
/api.
The request body format is either application or
application.
The request parameters are as follows.
| Request Parameter | Necessity | Description |
|---|---|---|
client |
REQUIRED | The client identifier. |
subject |
OPTIONAL | The subject (identifier) of the end-user. The specified value is used as the value of the sub claim in the Logout Token. Either this subject parameter or the sessionId parameter must be specified. |
sessionId |
OPTIONAL | The session ID. The specified value is used as the value of the sid claim in the Logout Token. Either this sessionId parameter or the subject parameter must be specified. |
The response parameters are as follows.
| Response Parameter | Description |
|---|---|
logout |
The generated Logout Token. |
backchannel |
The value of the client’s backchannel_ metadata parameter. |
action |
Indicates the next action that the server should take. Possible values are OK, SERVER_ERROR, and CALLER_ERROR. OK indicates that the Logout Token was generated successfully. |
resultCode |
A code representing the result of the API call (a parameter included in almost all Authlete API responses). |
resultMessage |
A message describing the result of the API call (a parameter included in almost all Authlete API responses). |
The following is an example API call.
curl --oauth2-bearer ${ACCESS_TOKEN} \
https://${AUTHLETE_SERVER}/api/${SERVICE_ID}/backchannel/logout/token \
--json '{
"clientIdentifier": "client001",
"subject": "user001",
"sessionId": "sid001"
}'
The following is an example API response.
{
"action": "OK",
"logoutToken": "eyJhbGciOiJFUzI1NiIsInR5cCI6ImxvZ291dCtqd3QiLCJraWQiOiIzVFNzM0U4djc3cXhQckhCNUtDendYY3RRajhJY0FBbHRuMThVYWZ1T1RzIn0.eyJpc3MiOiJodHRwczovL3RyaWFsLmF1dGhsZXRlLm5ldCIsInN1YiI6InVzZXIwMDEiLCJhdWQiOiJjbGllbnQwMDEiLCJpYXQiOjE3Nzg0NjE1NjIsImV4cCI6MTc3ODQ2MTY4MiwianRpIjoiMzBhNjljZTctMTQ0YS00MTc5LWIzOGItMTMyNDc1ZDk3Y2E4Iiwic2lkIjoic2lkMDAxIiwiZXZlbnRzIjp7Imh0dHA6Ly9zY2hlbWFzLm9wZW5pZC5uZXQvZXZlbnQvYmFja2NoYW5uZWwtbG9nb3V0Ijp7fX19.rmckdJrYEZg5i085KFMXLpHkPLHe63sjk8Qr9UwRJKBEAIueJomJ0DdzbOybm4475_DtP8wxkhAG0hE_YZgYyQ",
"backchannelLogoutUri": "https://client.example.com/logout",
"resultCode": "A518001",
"resultMessage": "[A518001] A Logout Token for the client 'client001' was issued successfully."
}
Decoding the header and payload of the Logout Token included in this example yields the following.
{
"alg": "ES256",
"typ": "logout+jwt",
"kid": "3TSs3E8v77qxPrHB5KCzwXctQj8IcAAltn18UafuOTs"
}
{
"iss": "https://trial.authlete.net",
"sub": "user001",
"aud": "client001",
"iat": 1778461562,
"exp": 1778461682,
"jti": "30a69ce7-144a-4179-b38b-132475d97ca8",
"sid": "sid001",
"events": {
"http://schemas.openid.net/event/backchannel-logout": {}
}
}
The OpenID Connect Back-Channel Logout 1.0 specification defines
two server metadata parameters and two client metadata parameters.
Corresponding properties have been added to Authlete’s Service and Client
models as well.
| Service Property | Description |
|---|---|
backchannel |
This property indicates whether this service supports the OpenID Connect Back-Channel Logout 1.0 specification. This property corresponds to the backchannel_ server metadata parameter defined in the specification. |
backchannel |
This boolean property indicates whether this service supports the sid claim in Logout Tokens. This property corresponds to the backchannel_ server metadata parameter defined in the OpenID Connect Back-Channel Logout 1.0 specification.If this property is set to true, API calls to the /api API should include the sessionId request parameter, whose value is embedded in the Logout Token as the value of the sid claim. Likewise, API calls to the /api API should include the sessionId request parameter, whose value is embedded in ID Tokens as the value of the sid claim. |
| Client Property | Description |
|---|---|
backchannel |
The Back-Channel Logout URI defined in the OpenID Connect Back-Channel Logout 1.0 specification. It must be an HTTP-accessible URL because HTTP POST requests containing a Logout Token are sent to the endpoint. This property corresponds to the backchannel_ client metadata parameter defined in the specification.The URL must consist only of ASCII characters and must not exceed 200 characters in length. The scheme must be either https or http, and the URL must not contain a fragment component.The configured value will be included in the response from the /api API as the value of the backchannel parameter. |
backchannel |
This boolean property indicates whether this client requires Logout Tokens to include the sid claim. This property corresponds to the backchannel_ client metadata parameter defined in the OpenID Connect Back-Channel Logout 1.0 specification. |
Support for the OpenID Connect Back-Channel Logout 1.0 specification is available starting with Authlete version 3.0.32. For more information, please contact us via the contact form.