OAuth single logout

DXA supports the following OpenID Connect logout specifications when acting as an OpenID Provider (OP):

DXA does not yet support OAuth Single Logout when acting as a Relying Party (RP).

Front-Channel vs Back-Channel Notifications

Front-Channel Logout

  • Browser-based iFrames for each RP (hidden iFrames nested in the DXA logout page).

  • Requires user agent.

  • RP typically destroys local session via browser.

Back-Channel Logout

  • Server-to-server request from DXA to RP including a logout token.

  • RP must validate the logout token and terminate local session.

  • Works even if user’s browser is closed.

  • The DXA server must be able to reach the RP server directly.

If a client registers both frontchannel_logout_uri and backchannel_logout_uri, DXA uses both mechanisms.

High-Level OAuth Single Logout Flow

  1. A logout request is received at the OP logout endpoint, that must include the id_token_hint parameter.

  2. DXA extracts the sid and identifies all tokens in the session.

  3. DXA determines:

    • which clients must be logged out,

    • which require consent.

  4. If necessary, the user is shown a consent screen.

  5. DXA sends:

    • Front-channel logout notifications,

    • Back-channel logout notifications.

  6. DXA invalidates access/refresh tokens locally.

  7. DXA optionally invalidates the DXA session itself.

  8. User is redirected to the post-logout page.

Configuring OAuth Single Logout

To enable OAuth Single Logout:

  1. Navigate to: Configuration → Federation → OAuth → Server endpoints → <your OAuth server>.

  2. Create a new Protected endpoint: Protected endpoint type: Logout.

  3. Assign a Single Logout configuration to this endpoint. The configuration of single logout is described in the section Single Logout.

OAuth Single Logout Behavior Overview

  • Logout is session-based. Only tokens issued using the same DXA session (same sid) participate in logout.

  • RP-Initiated Logout can only be triggered using an OpenID token, the id_token_hint parameter is mandatory.

  • DXA includes the sid claim in OpenID tokens. This value identifies the session and is used in logout notifications. All the tokens issued in the same session share the same sid.

  • Clients request logout notifications by registering:

    • backchannel_logout_uri

    • frontchannel_logout_uri

    • If both are registered, both mechanisms are used.

  • Access and refresh tokens are also invalidated on the OP, but no notifications are sent for them (no standard exists).

  • If a client belongs to Consent SLO peers, the user is prompted to choose which tokens from this client should be logged out.

For the policies regarding token invalidation and logout notifications, the system does not differentiate between client initiating the logout and other clients in the session. All clients are treated equally. Meaning if the client initiating the logout belongs to Consent SLO peers, the user will be prompted for consent for logging out this client’s tokens as well.