-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3565 from OpenLiberty/staging
Publish new case-study tag live
- Loading branch information
Showing
2 changed files
with
214 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,204 @@ | ||
| --- | ||
| layout: post | ||
| title: "Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta" | ||
| # Do NOT change the categories section | ||
| categories: blog | ||
| author_picture: https://avatars3.githubusercontent.com/dmuelle | ||
| author_github: https://github.com/dmuelle | ||
| seo-title: Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta - OpenLiberty.io | ||
| seo-description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. | ||
| blog_description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. | ||
| open-graph-image: https://openliberty.io/img/twitter_card.jpg | ||
| open-graph-image-alt: Open Liberty Logo | ||
| --- | ||
| = Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta | ||
| David Mueller <https://github.com/dmuelle> | ||
| :imagesdir: / | ||
| :url-prefix: | ||
| :url-about: / | ||
| //Blank line here is necessary before starting the body of the post | ||
|
|
||
| OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. | ||
|
|
||
| // // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // | ||
| // Blog issue: https://github.com/OpenLiberty/open-liberty/issues/27362 | ||
| // Contact/Reviewer: jimmy1wu | ||
| // // // // // // // // | ||
|
|
||
| Previously, OpenID Connect servers could notify OpenID Connect clients that a user logged out only by using iframes that were embedded in the OpenID Connect client's web page. If the web page wasn't active, the OpenID Connect client wasn't notified of the logout that occurred on the OpenID Connect server. Back-channel logout solves this problem through direct communication between the OpenID Connect server and clients. | ||
|
|
||
| == Back-channel logout support for OpenID Connect clients | ||
|
|
||
| With this release, back-channel logout support for OpenID Connect clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: | ||
|
|
||
| * OpenID Connect Client: `/oidcclient/backchannel_logout/{oidcClientId}` | ||
| * Social Media Login: `/ibm/api/social-login/backchannel_logout/{socialLoginId}` | ||
|
|
||
| For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/oidcClientId` for the following configuration: | ||
|
|
||
| [source,xml] | ||
| ---- | ||
| <featureManager> | ||
| <feature>openidConnectClient-1.0</feature> | ||
| </featureManager> | ||
| ... | ||
| <openidConnectClient id="oidcClientId" ... /> | ||
| ---- | ||
|
|
||
| Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/socialLoginId` for the following configuration: | ||
|
|
||
| [source,xml] | ||
| ---- | ||
| <featureManager> | ||
| <feature>socialLogin-1.0</feature> | ||
| </featureManager> | ||
| ... | ||
| <oidcLogin id="socialLoginId" ... /> | ||
| ---- | ||
|
|
||
| == Back-channel logout support for OpenID Connect servers | ||
|
|
||
| Two options are available to enable back-channel logout for OpenID Connect servers: | ||
|
|
||
| * Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered by using the OpenID Connect provider's client registration endpoint. | ||
|
|
||
| * Use the `backchannelLogoutUri` attribute for OAuth clients that are defined in a `localStore` element. | ||
|
|
||
| Also, the OpenID Connect server waits for a default of 180 seconds before the back-channel logout request times out. You can specify a custom duration by using the `backchannelLogoutRequestTimeout` attribute for the `openidConnectProvider` element. | ||
|
|
||
| The following `server.xml` file example demonstrates how to specify the back-channel logout URI that an OpenID Connect server uses to make back-channel logout requests, with a timeout of 60 seconds. | ||
|
|
||
| [source,xml] | ||
| ---- | ||
| <featureManager> | ||
| <feature>openidConnectServer-1.0</feature> | ||
| </featureManager> | ||
| ... | ||
| <openidConnectProvider | ||
| id="OidcConfigSample" | ||
| backchannelLogoutRequestTimeout="60s" | ||
| oauthProviderRef="OAuthConfigSample" ... /> | ||
| <oauthProvider id="OAuthConfigSample" ... > | ||
| <localStore> | ||
| <client | ||
| name="client01" | ||
| backchannelLogoutUri="http://localhost:9080/oidcclient/backchannel_logout/client01" | ||
| ... /> | ||
| </localStore> | ||
| </oauthProvider> | ||
| ---- | ||
|
|
||
|
|
||
| Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, you can add an `id_token_hint` query parameter that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. | ||
|
|
||
| For example, if the OpenID Connect server is hosted on `http://localhost:9081` and the user’s OpenID Connect server SSO cookie is available, then invoking either of the following endpoints causes the OpenID Connect server to also send back-channel logout requests to the configured back-channel logout URIs: | ||
|
|
||
| * Logout endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout` | ||
| * End session endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session` | ||
|
|
||
| If the user’s OpenID Connect server SSO cookie is not available, such as when you invoke the endpoints by using a curl command, then an ID token that belongs to the user must be appended to the request by using the `id_token_hint` query parameter. | ||
|
|
||
| * Logout endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout?id_token_hint={id_token}` | ||
| * End session endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session?id_token_hint={id_token}` | ||
|
|
||
| Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP) by using the link:https://openliberty.io/docs/latest/reference/feature/samlWeb-2.0.html[SAML Web Single Sign-On] feature, then a logout at the IdP also triggers the OpenID Connect server to send back-channel logout requests to the configured OpenID Connect clients. | ||
|
|
||
| For more information about the Open Liberty configuration options, see the following resources: | ||
|
|
||
| - link:{url-prefix}/docs/latest/reference/config/openidConnectClient.html[openidConnectClient] | ||
| - link:{url-prefix}/docs/latest/reference/config/oidcLogin.html[oidcLogin] | ||
| - link:{url-prefix}/docs/latest/reference/config/openidConnectProvider.html#oauthProvider[openidConnectProvider] | ||
|
|
||
| For more information about the back-channel logout specification, see link:https://openid.net/specs/openid-connect-backchannel-1_0.html[OpenID Connect Back-Channel Logout 1.0]. | ||
|
|
||
|
|
||
| // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> | ||
|
|
||
| [#run] | ||
| === Try it now | ||
|
|
||
| To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8. | ||
| // // // // // // // // | ||
| // In the preceding section: | ||
| // Check if a new non-LTS Java SE version is supported that needs to be added to the list (17, 11, and 8 are LTS and will remain for a while) | ||
| // https://openliberty.io/docs/latest/java-se.html | ||
| // // // // // // // // | ||
|
|
||
| If you're using link:{url-prefix}/guides/maven-intro.html[Maven], you can install the All Beta Features package by using: | ||
|
|
||
| [source,xml] | ||
| ---- | ||
| <plugin> | ||
| <groupId>io.openliberty.tools</groupId> | ||
| <artifactId>liberty-maven-plugin</artifactId> | ||
| <version>3.10</version> | ||
| <configuration> | ||
| <runtimeArtifact> | ||
| <groupId>io.openliberty.beta</groupId> | ||
| <artifactId>openliberty-runtime</artifactId> | ||
| <version>24.0.0.2-beta</version> | ||
| <type>zip</type> | ||
| </runtimeArtifact> | ||
| </configuration> | ||
| </plugin> | ||
| ---- | ||
|
|
||
| You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, for Jakarta EE 10 and MicroProfile 6, you would include: | ||
| [source,xml] | ||
| ---- | ||
| <dependency> | ||
| <groupId>org.eclipse.microprofile</groupId> | ||
| <artifactId>microprofile</artifactId> | ||
| <version>6.0-RC3</version> | ||
| <type>pom</type> | ||
| <scope>provided</scope> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>jakarta.platform</groupId> | ||
| <artifactId>jakarta.jakartaee-api</artifactId> | ||
| <version>10.0.0</version> | ||
| <scope>provided</scope> | ||
| </dependency> | ||
| ---- | ||
|
|
||
| Or for link:{url-prefix}/guides/gradle-intro.html[Gradle]: | ||
|
|
||
| [source,gradle] | ||
| ---- | ||
| buildscript { | ||
| repositories { | ||
| mavenCentral() | ||
| } | ||
| dependencies { | ||
| classpath 'io.openliberty.tools:liberty-gradle-plugin:3.8' | ||
| } | ||
| } | ||
| apply plugin: 'liberty' | ||
| dependencies { | ||
| libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[24.0.0.2-beta,)' | ||
| } | ||
| ---- | ||
|
|
||
|
|
||
| Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]: | ||
|
|
||
| [source] | ||
| ---- | ||
| FROM icr.io/appcafe/open-liberty:beta | ||
| ---- | ||
|
|
||
| Or take a look at our link:{url-prefix}/downloads/#runtime_betas[Downloads page]. | ||
|
|
||
| If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools]. These tools enable effective development, testing, debugging, and application management all from within your IDE. | ||
|
|
||
| For more information on using a beta release, refer to the link:{url-prefix}docs/latest/installing-open-liberty-betas.html[Installing Open Liberty beta releases] documentation. | ||
|
|
||
| See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. | ||
|
|
||
| [#feedback] | ||
| == We welcome your feedback | ||
|
|
||
| Let us know what you think on link:https://groups.io/g/openliberty[our mailing list]. If you hit a problem, link:https://stackoverflow.com/questions/tagged/open-liberty[post a question on StackOverflow]. If you hit a bug, link:https://github.com/OpenLiberty/open-liberty/issues[please raise an issue]. |