From 1d8481ee1bca1e4f1ed14d5cce67e71cc7c4dc58 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 12 Feb 2024 12:58:09 -0500 Subject: [PATCH] Update 2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index d966af4e9..2d423b4c9 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -29,12 +29,12 @@ Previously, OpenID Connect servers could notify OpenID Connect clients that a us == Back-channel logout support for OpenID Connect clients -With this release, back-channel logout support for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: +With this release, back-channel logout support for OpenID Connect clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: -* OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}` -* Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}` +* OpenID Connect Client: `/oidcclient/backchannel_logout/{oidcClientId}` +* Social Media Login: `/ibm/api/social-login/backchannel_logout/{socialLoginId}` -For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/client01` for the following configuration: +For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/oidcClientId` for the following configuration: [source,xml] ---- @@ -42,10 +42,10 @@ For example, when the OpenID Connect Client feature is enabled, the back-channel openidConnectClient-1.0 ... - + ---- -Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/client01` for the following configuration: +Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/socialLoginId` for the following configuration: [source,xml] ---- @@ -53,7 +53,7 @@ Similarly, if the Social Media Login feature is enabled, the back-channel logout socialLogin-1.0 ... - + ---- == Back-channel logout support for OpenID Connect servers @@ -92,11 +92,19 @@ The following `server.xml` file example demonstrates how to specify the back-cha ---- -Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. +Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, you can add an `id_token_hint` query parameter that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. -The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. +For example, if the OpenID Connect server is hosted on `http://localhost:9081` and the user’s OpenID Connect server SSO cookie is available, then invoking either of the following endpoints causes the OpenID Connect server to also send back-channel logout requests to the configured back-channel logout URIs: -Optionally, you can add an `id_token_hint` that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP), a logout at the IdP also triggers sends back-channel logout requests to the OpenID Connect clients. +* Logout endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout` +* End session endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session` + +If the user’s OpenID Connect server SSO cookie is not available, such as when you invoke the endpoints by using a curl command, then an ID token that belongs to the user must be appended to the request by using the `id_token_hint` query parameter. + +* Logout endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout?id_token_hint={id_token}` +* End session endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session?id_token_hint={id_token}` + +Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP) by using the link:https://openliberty.io/docs/latest/reference/feature/samlWeb-2.0.html[SAML Web Single Sign-On] feature, then a logout at the IdP also triggers the OpenID Connect server to send back-channel logout requests to the configured OpenID Connect clients. For more information about the Open Liberty configuration options, see the following resources: