RP-initiated logout is a process where the logout is initiated by the brand portal, which represents the "relying party" or RP. The brand portal communicates with Strivacity, the Identity Provider (IdP), to invalidate the user's session. It is a low-effort way of initiating a logout action from a browser-based application, as the logout action requires only to construct a proper HTTP request to the IdP logout endpoint.

Approach

1. The brand portal sends a logout request to the logout endpoint /oauth2/sessions/logout:

The Strivacity logout endpoint, /oauth2/sessions/logout/, follows the OIDC standard and is discoverable in our OIDC well-known endpoints.

There are three parts of the URL:

• The server path server-path
• A JWT encoded id_token_hintcontaining the session ID to cancel
  • JWT payload should be { "sid": "{session-id}"}
  • "sid" is the session ID from the ID token
• A post_logout_redirect_uri indicating where to return the browser after the logout is complete on the IdP side

Example:

https\://{server-path}/oauth2/sessions/logout/id_token_hint={jwt-token}&post_logout_redirect_uri=https%3A%2F%2F{brand-portal-redirect-uri}

2. Strivacity processes the logout and invalidates the session indicated in the HTTP request:

Strivacity will log out the user from all applications associated with the session

2. Strivactiy then redirects to the callback URL provided in the HTTP request:

After redirecting back to the brand portal, it can then process any cookie or session invalidation required to complete the logout on the application side.