OpenId Connect Identity Provider initiated backchannel logout not working

Question

I'm working on a java Spring Boot project that manages users and sessions internally. It relies on OIDC, AWS Cognito being the Identity Provider, for sign-in and, I would hope, sign-out of the users. What I understand from the OIDC Spec for backchannel logout is that:

1. I must provide an endpoint for logout in my backend application. I am using Pac4J as my OIDC library in a java Spring Boot application, and have enabled the logout endpoint as per the Pac4J Spring Security documentation

2. The Identity Provider AWS Cognito should send a request to the logout endpoint if the user is signed out from the Identity Provider

3. When I receive a valid call (as per the OIDC spec) on this endpoint, I must destroy the user's session with my application.

However, the user being logged out of the Identity Provider (AWS Cognito) does not seem to result in a call to the logout endpoint of my application.

I am unable to find documentation for this backchannel behaviour in the AWS Cognito docs.

1. Have I understood the backchannel logout correctly?
2. Is this currently unsupported as OIDC logout is still (as of March 12, 2019) in draft status?

Answer 1

I contacted the main developer of Pac4J who was very prompt to reply.

AWS Cognito:

• Currently does not seem to support backchannel logout

Pac4J:

• Backchannel logout is currently not supported by the library for OIDC, and it isn't on the roadmap either: https://groups.google.com/forum/?fromgroups#!topic/pac4j-users/SD_IgKVZWvM, the /logout referenced in the documentation is for internal (to the app) logout + (if configured) forwarding a logout request to the identity provider. It is NOT a OIDC-backchannel-logout endpoint.