End Session Guide
Delete access/refresh tokens on logout
When enabled, This will delete any access tokens and refresh tokens for a given session when the End-Session endpoint is called. It is advised to use this when
using the client authentication method
PKCE. Note: If a client enables SAML SLO
and does not use refresh tokens, the tokens will be removed regardless of this setting.
Post Logout Redirect URIs
After hitting the end session endpoint, you most likely would like your RP to be redirected back to one of your own pages. You can configure one
primary/default URI and many additional URIs that you will allow the OP to redirect the RP to. When making a request to the endpoint, you can specify a
post_logout_redirecturi as part of your request but it must match one of the configured urls in the OpenID Client Configuration. If no URI is specified in the
request, it will fallback to the default or not redirect at all if nothing is configured.
Front-Channel Logout support
Onegini's OP implementation also has support for OpenID Connect Front-Channel Logout 1.0. You
can configure a Front-Channel logout URI in the admin console. This URI will be included in the end session html as an iFrame that will execute a
GET request towards a particular URI. This is most commonly used to help with Single Logout (SLO) in the Relying Party's application(s).
Diagram of flow
RP logout + Front Channel (3 RPs)
The steps described below occur only once the session has already been established at the RP and OP.
- End user wishes to logout and clicks a logout link for RP1 (or any of them).
- User agent triggers the end session url on the OP
- It should be triggered with at least an
id_token_hintand optionally a
post_logout_redirect_uri. It should be included if the User Agent wishes to redirect to a specific URI after a successful logout.
- OP invalidates its own session which links to all three RP's in it.
- OP generates a logout page that contains an iFrame for each RP that was in that particular session and returns it to the User Agent.
- User Agent renders the logout page which triggers requests to the RPs to invalidate the sessions. RP's should have a reachable URIs which trigger an end in the session on the RP.
- Each RP receives the request independently, destroys its own session, and clean up cookies/storage
- User Agent displays a successfully logged out page or has redirected to another page based on the
post_logout_redirect_urithat was specified in step 1.
To see an example of the html, refer to the End Session API.