Home
Product documentation
Support homeSupport requestsSystem statusTrust centerTry for free

OIDC back-channel logout

The OIDC back-channel logout process is designed to enhance security by allowing logout requests to be handled server-to-server, independent of the customer's browser. This method ensures that logout requests are reliably received and processed by all applications, even if the customer's browser is closed or experiencing issues. The back-channel logout provides a robust mechanism to terminate customer sessions across multiple applications, ensuring comprehensive session management.

How it works

Implementation at Strivacity

Back-channel logout URLs are configured per client under ApplicationsClients → Edit client → OAuth2/OIDC.

When account sessions are cleared, Strivacity sends an HTTP POST request to each configured back-channel logout URL. The request contains a logout_token parameter that allows the application to identify and terminate the corresponding brand-side customer session.

API call

Back-channel logout can be initiated by clearing a customer's sessions through Strivacity's Clear sessions for an account endpoint.

To clear all sessions for an account, make a DELETE request using the following syntax:

https://{tenant}/admin/api/v1/identityStores/{identityStoreName}/accounts/{accountId}/sessions

To initiate this call, the write permission on the account object is required. This can be set in the API security policy.

The logout token

The logout_token is a signed token generated by the IdP (Strivacity, in this case) and sent to registered back-channel logout endpoints. Brand-side applications validate the token and use the information it contains to identify and terminate the associated customer session.

Logout process

📘

In this process, application refers to a brand-side application that uses Strivacity as its identity provider.

  1. An administrator clears the customer's sessions using the Admin Console or the Clear sessions for an account API endpoint.
  2. Strivacity generates a logout_token for each affected application.
  3. Strivacity sends an HTTP POST request containing the logout_token to the registered back-channel logout URL of each application.
  4. Each application validates the token and terminates the corresponding brand-side customer session.
  5. Because the process is server-to-server, no logout confirmation is sent through the customer's browser.

Security and compliance

The back-channel logout process enhances security by ensuring that logout requests are handled server-to-server, which is less susceptible to browser issues or customer interference. The use of logout_token ensures that the logout requests are authenticated and authorized, preventing unauthorized session terminations.

The back-channel logout URLs must be pre-registered with the identity provider to ensure that logout requests are sent to trusted endpoints, maintaining the integrity and security of the logout process.

Benefits for clients

  • Enhanced security: Provides a secure mechanism to log customers out of all applications, even if the customer's browser is unavailable or compromised.
  • Reliability: Ensures that logout requests are reliably delivered and processed by all applications, independent of the customer's browser state.
  • Compliance and trust: Adheres to established OpenID Connect protocols, ensuring compatibility and trust across various platforms and services.