The oidc_backchannel_logout feature supports, as defined in the RFC, logging out on all RPs as a consequence of logging out on the OP, by allowing RPs to register a “backchannel logout URL” in the OP, and having the OP make an HTTP request to it after a successful logout.
It also supports session identification via ID token SID claim (which can also be disabled).
The way to enable it is as follows:
plugin :rodauth do
enable :oidc_backchannel_logout
end
When enabled, the openid discovery endpoint will expose support for bakchannel logout; if using the oidc_dynamic_client_registration, the parameters definedd in the RFC will also be supported.
By default, backchannel requests will be sequentially performed on each logged-in RP using net-http. If you’d like to somehow parallelize it or use a different HTTP client, you must override the perform_logout_requests auth method.