Rp Initiated Logout

The oidc_rp_initiated_logout feature allows you to set Relying Party initiated logout. This allows client applications to invalidate users sessions from IdP, while being able to reroute back to their application.

How to enable it

The way to enable it is as follows:

plugin :rodauth do
  enable :oidc_rp_initiated_logout
end

When enabled, the openid discovery endpoint will expose the oidc-logout URL as the end_session_endpoint, as per the spec.

URL

Only logged-in users access the following endpoints.

GET|POST /oidc-logout

Client applicationns can use either GET or POST to start the logout journey, depending on their security constraints. The following parameters can therefore be sent in x-www-urlencoded format either in the URI query param (for GETs) or in the form-data body (for POSTs).

  • id_token_hint: the ID token for the user tha will be logged out;
  • post_logout_redirect_uri: The url where to redirect to after the IdP session is logged out. This field is optional; when it is not passed, the user will remain in IdP after it gets logged out. When passed, it’ll be validated against the registered post-logout redirect uri (or uris) registered for the RP application, after which the user session will be redirected to it.

DB

In order to allow the “post logout redirect uri” to be validated, the client application must be able to register it/them (you can allow more than 1 uri, whitespace-separated). How you expose this option is beyond the scope of rodauth-oauth or the RFC.

You should therefore add the oauth_applications_post_logout_redirect_uris_column to the oauth_applications table.

Home