2

Recently I got interested in OpenId Connect related topics.

OpenId Connect Front-Channel logout is a way to inform all applications which use browser session that logout happened in one of them.

Since the solution use iframes and 3-party cookies, there is a risk that it will not be supported in the future. Some browsers already block 3-party cookies, and some are planing to do so in future releases.

I have heard that there is an alternative to Front-Channel logout called 'logout redirect chain'. I couldn't really find any information about this approach in the web.

Do you know if it something available in OpenId Connect documentation or is kind of custom approach on the top of OpenId Connect?

Thanks in advance!

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
michals
  • 61
  • 1
  • 5

1 Answers1

0

I am glad I am not the only one with this question. I am implementing my own OP server and it seems that the only way front-channel logout and the session management would work with iframes, is where both RP and OP are on the same domain. I guess this is why most OP provides have an option to configure a custom sub-domain (e.g. sso.mycompany.com pointing to some-oidc-provider.com).

I am experimenting with a solution where the OP "remembers" a list of RPs that need to perform logout. When the logout is initiated from OP, the OP redirects the browser to the first RP on the list. The requirement here is that the RP redirects back to the OP, where the OP marks that RP as visited then continues a new redirect to the next RP on that list until all logout URLs are visited. I guess you could call it a logout redirect chain.

The method above is of course not pretty and also not conforming to the specs but I hope I can make it work for clients that can't/won't have a sub-domain pointing to my OP server.

gevik
  • 3,177
  • 4
  • 25
  • 28