From d26dac2f2cebd35fcc010544610e5f74fec16c92 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Tue, 13 Feb 2024 08:57:15 -0500 Subject: [PATCH 1/4] edits --- posts/2024-02-13-24.0.0.2-beta.adoc | 30 ++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index 353bf0f88..5299d5393 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -29,12 +29,14 @@ Previously, OpenID Connect servers could notify OpenID Connect clients that a us == Back-channel logout support for OpenID Connect clients -With this release, back-channel logout support for OpenID Connect clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: +With this release, back-channel logout support for OpenID Connect clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] feature or the link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] feature is enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. + +The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: * OpenID Connect Client: `/oidcclient/backchannel_logout/{oidcClientId}` * Social Media Login: `/ibm/api/social-login/backchannel_logout/{socialLoginId}` -For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/oidcClientId` for the following configuration: +For example, the following configuration enables the `/oidcclient/backchannel_logout/oidcClientId` back-channel logout endpoint on the OpenID Connect Client: [source,xml] ---- @@ -45,7 +47,7 @@ For example, when the OpenID Connect Client feature is enabled, the back-channel ---- -Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/socialLoginId` for the following configuration: +Similarly, the following configuration enables the `/ibm/api/social-login/backchannel_logout/socialLoginId` back-channel logout endpoint on the OpenID Connect Client: [source,xml] ---- @@ -58,11 +60,7 @@ Similarly, if the Social Media Login feature is enabled, the back-channel logout == Back-channel logout support for OpenID Connect servers -Two options are available to enable back-channel logout for OpenID Connect servers: - -* Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered by using the OpenID Connect provider's client registration endpoint. - -* Use the `backchannelLogoutUri` attribute for OAuth clients that are defined in a `localStore` element. +To enable back-channel logout for OpenID Connect servers, specify the `backchannelLogoutUri` attribute for OAuth clients that are defined in a `localStore` element in the `server.xml` file. Also, the OpenID Connect server waits for a default of 180 seconds before the back-channel logout request times out. You can specify a custom duration by using the `backchannelLogoutRequestTimeout` attribute for the `openidConnectProvider` element. @@ -92,7 +90,13 @@ The following `server.xml` file example demonstrates how to specify the back-cha ---- -Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, you can add an `id_token_hint` query parameter that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. +Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. In the previous example, the server's logout endpoint is `/oidc/endpoint/OidcConfigSample/logout` and the `end_session` endpoint is `/oidc/endpoint/OidcConfigSample/end_session` + +Alternatively, you can enable back-channel logout for an OpenID Connect server by defining the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered by using the OpenID Connect provider's client registration endpoint. + +=== Back-channel logout without an OpenID Connect server SSO cookie + +Optionally, you can add an `id_token_hint` query parameter that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. For example, if the OpenID Connect server is hosted on `\http://localhost:9081` and the user’s OpenID Connect server SSO cookie is available, then invoking either of the following endpoints causes the OpenID Connect server to also send back-channel logout requests to the configured back-channel logout URIs: @@ -104,13 +108,17 @@ If the user’s OpenID Connect server SSO cookie is not available, such as when * Logout endpoint with ID token hint: `\http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout?id_token_hint={id_token}` * End session endpoint with ID token hint: `\http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session?id_token_hint={id_token}` -Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP) by using the link:https://openliberty.io/docs/latest/reference/feature/samlWeb-2.0.html[SAML Web Single Sign-On] feature, then a logout at the IdP also triggers the OpenID Connect server to send back-channel logout requests to the configured OpenID Connect clients. +=== Back-channel logout for SAML-configured OpenID Connect servers + +Back-channel logout is also enabled for OpenID Connect servers that are configured with a SAML Identity Provider (IdP) by using the link:{url-prefix}/docs/latest/reference/feature/samlWeb-2.0.html[SAML Web Single Sign-On] feature. A logout at the IdP also triggers the OpenID Connect server to send back-channel logout requests to the configured OpenID Connect clients. + +=== Learn more For more information about the Open Liberty configuration options, see the following resources: - link:{url-prefix}/docs/latest/reference/config/openidConnectClient.html[openidConnectClient] - link:{url-prefix}/docs/latest/reference/config/oidcLogin.html[oidcLogin] -- link:{url-prefix}/docs/latest/reference/config/openidConnectProvider.html#oauthProvider[openidConnectProvider] +- link:{url-prefix}/docs/latest/reference/config/openidConnectProvider.html[openidConnectProvider] For more information about the back-channel logout specification, see link:https://openid.net/specs/openid-connect-backchannel-1_0.html[OpenID Connect Back-Channel Logout 1.0]. From 221454c2d08e0b7cec6c6b3236efca9e17e275c5 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Tue, 13 Feb 2024 10:38:23 -0500 Subject: [PATCH 2/4] Update 2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index 5299d5393..357b982cb 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -126,9 +126,9 @@ For more information about the back-channel logout specification, see link:https // DO NOT MODIFY THIS LINE. [#run] -=== Try it now +== Try it now -To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8. +To try out this feature, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8. // // // // // // // // // In the preceding section: // Check if a new non-LTS Java SE version is supported that needs to be added to the list (17, 11, and 8 are LTS and will remain for a while) From d85cabadfc9bd88596b112720685629a66c08ed2 Mon Sep 17 00:00:00 2001 From: David Mueller <48686014+dmuelle@users.noreply.github.com> Date: Tue, 13 Feb 2024 11:52:08 -0500 Subject: [PATCH 3/4] Update posts/2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index 357b982cb..e782d9ba8 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -47,7 +47,7 @@ For example, the following configuration enables the `/oidcclient/backchannel_lo ---- -Similarly, the following configuration enables the `/ibm/api/social-login/backchannel_logout/socialLoginId` back-channel logout endpoint on the OpenID Connect Client: +Similarly, the following Social Media Login feature configuration enables the `/ibm/api/social-login/backchannel_logout/socialLoginId` back-channel logout endpoint on the OpenID Connect client: [source,xml] ---- From 5cc94a8626946e3085ceafc8ce35b95cf4b7d41f Mon Sep 17 00:00:00 2001 From: David Mueller <48686014+dmuelle@users.noreply.github.com> Date: Tue, 13 Feb 2024 11:52:16 -0500 Subject: [PATCH 4/4] Update posts/2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index e782d9ba8..87681b16a 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -36,7 +36,7 @@ The OpenID Connect server needs the absolute URI of the back-channel logout endp * OpenID Connect Client: `/oidcclient/backchannel_logout/{oidcClientId}` * Social Media Login: `/ibm/api/social-login/backchannel_logout/{socialLoginId}` -For example, the following configuration enables the `/oidcclient/backchannel_logout/oidcClientId` back-channel logout endpoint on the OpenID Connect Client: +For example, the following OpenID Connect Client feature configuration enables the `/oidcclient/backchannel_logout/oidcClientId` back-channel logout endpoint on the OpenID Connect client: [source,xml] ----