Understanding OIDC back-channel logout

Learn how OIDC back-channel logout works and why it is important in modern identity solutions.
Charles
CharlesDeveloper
June 12, 20243 min read
Understanding OIDC back-channel logout

Background

Ensuring user security and privacy is a topic that never gets old. Nowadays social sign-in has been widely adopted as a sign-in method, for its simplicity and seamless experience. However, what happens if you logout from the social identity provider, can your other online services using your social identity be logged out at the same time?

One essential feature of OpenID Connect (OIDC), the back-channel logout, offers a robust solution to address this requirement, enhancing user security by enabling logout simultaneously across various applications.

What is OIDC back-channel logout?

OIDC back-channel logout is a mechanism designed to ensure that when a user logs out from an identity provider (IdP), they are also logged out from all the associated relying parties (RPs) or applications.

The back-channel logout operates through direct server-to-server “back-channel” communication, allowing the identity provider to notify all registered client applications about the user's logout event. Consequently, client applications can promptly terminate the user's sessions and perform any necessary cleanup actions.

How does back-channel logout work?

The back-channel logout process involves several steps:

  1. User initiates logout: The user initiates a logout from the identity provider.
  2. IdP sends logout token: The IdP generates a logout token and sends it to all the registered RPs through a direct back-channel request.
  3. RP processes logout: Each RP receives the logout token, validates it, and terminates the user session.
  4. Confirmation to IdP: The RP may send a confirmation back to the IdP, acknowledging the successful logout.

Benefits and impact

The back-channel logout feature offers several benefits for both users and service providers:

  • Enhanced user security: Users can enjoy improved security and privacy, knowing that their sessions are promptly terminated across all connected applications upon logout.
  • Simplified user experience: The seamless logout experience reduces user friction and enhances usability, fostering trust and satisfaction.
  • Compliance with security standards: Adoption of OIDC backchannel logout aligns with industry best practices and regulatory requirements, demonstrating a commitment to robust security practices.

I need this feature. Does Logto support it already?

We are actively testing this feature recently, and it will be available on both Logto Cloud and Logto open-source version. Please stay tuned to our future updates.

Conclusion

OIDC back-channel logout is an essential feature in modern identity solutions, enabling users with greater control over their online security and privacy. By adopting this mechanism, organizations can provide a seamless and secure logout experience, safeguarding their online activities.