Update 2024-02-13-24.0.0.2-beta.adoc

OpenLiberty · Feb 12, 2024 · 1d8481e · 1d8481e
1 parent 1b44b2e
commit 1d8481e
Showing 1 changed file with 18 additions and 10 deletions.
diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc
@@ -29,31 +29,31 @@ Previously, OpenID Connect servers could notify OpenID Connect clients that a us
 
 == Back-channel logout support for OpenID Connect clients
 
-With this release, back-channel logout support for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features:
+With this release, back-channel logout support for OpenID Connect clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features:
 
-* OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}`
-* Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}`
+* OpenID Connect Client: `/oidcclient/backchannel_logout/{oidcClientId}`
+* Social Media Login: `/ibm/api/social-login/backchannel_logout/{socialLoginId}`
 
-For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/client01` for the following configuration:
+For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/oidcClientId` for the following configuration:
 
 [source,xml]
 ----
 <featureManager>
     <feature>openidConnectClient-1.0</feature>
 </featureManager>
 ...
-<openidConnectClient id="client01" ... />
+<openidConnectClient id="oidcClientId" ... />
 ----
 
-Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/client01` for the following configuration:
+Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/socialLoginId` for the following configuration:
 
 [source,xml]
 ----
 <featureManager>
     <feature>socialLogin-1.0</feature>
 </featureManager>
 ...
-<oidcLogin id="client01" ... />
+<oidcLogin id="socialLoginId" ... />
 ----
 
 == Back-channel logout support for OpenID Connect servers
@@ -92,11 +92,19 @@ The following `server.xml` file example demonstrates how to specify the back-cha
 ----
 
 
-Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients.
+Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, you can add an `id_token_hint` query parameter that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie.
 
-The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`.
+For example, if the OpenID Connect server is hosted on `http://localhost:9081` and the user’s OpenID Connect server SSO cookie is available, then invoking either of the following endpoints causes the OpenID Connect server to also send back-channel logout requests to the configured back-channel logout URIs:
 
-Optionally, you can add an `id_token_hint` that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP), a logout at the IdP also triggers sends back-channel logout requests to the OpenID Connect clients.
+* Logout endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout`
+* End session endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session`
+
+If the user’s OpenID Connect server SSO cookie is not available, such as when you invoke the endpoints by using a curl command, then an ID token that belongs to the user must be appended to the request by using the `id_token_hint` query parameter.
+
+* Logout endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout?id_token_hint={id_token}`
+* End session endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session?id_token_hint={id_token}`
+
+Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP) by using the link:https://openliberty.io/docs/latest/reference/feature/samlWeb-2.0.html[SAML Web Single Sign-On] feature, then a logout at the IdP also triggers the OpenID Connect server to send back-channel logout requests to the configured OpenID Connect clients.
 
 For more information about the Open Liberty configuration options, see the following resources: