Enabling programmatic logout for an OpenID Connect Relying Party

You can enable programmatic logout for an application that is secured by the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI). When programmatic logout is enabled, logging out of the application clears any Open ID Connect cookies and Lightweight Third Party Authentication (LTPA) cookies.

Before you begin

This task assumes that your system is enabled to use the OpenID Connect feature. For more information, see Configuring an OpenID Connect Relying Party.

About this task

The OIDC TAI supports logout through the HttpServletRequest.logout() Java™ method. When this method is called from a URL that is protected by the OIDC TAI, it clears the LtpaToken2 cookie and the OpenID Connect cookies. You can also configure the OIDC TAI to revoke any access tokens when this method is called.

The following procedure provides an example class and the steps to enable OpenID Connect programmatic logout. It shows how to add a logout method to your application and how to configure the OIDC TAI to revoke access tokens.

Procedure

  1. Develop a logout endpoint to include with your application that is protected by the TAI, as shown in the following example:
    import java.io.IOException;
    import javax.servlet.Servlet;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    public class OIDCLogoutServlet extends HttpServlet implements Servlet {
            public LogoutServlet() {
                    super();
            }
    
            protected void doGet(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
                    doPost(arg0,arg1);
            }
            protected void doPost(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
    req.logout();
      }
    }
  2. Configure the new logout URL that you developed in the previous step to be intercepted by the OIDC TAI.
    1. Log in to the WebSphere Application Server administrative console.
    2. Click Security > Global security.
    3. Expand Web and SIP security.
    4. Click Trust association > Interceptors.
    5. Click com.ibm.ws.security.oidc.client.RelyingParty.
    6. Ensure that the combination of values of the following three properties intercept the URL that calls the HTTPServletRequest.logout() method:
      • provider_.filter
      • provider_.interceptedPathFilter
      • provider_.excludedPathFilter
  3. Decide whether you want to revoke the user's access tokens upon logout, then complete one of the following procedures based on your decision:

Configuring the OIDC TAI to revoke user access tokens upon logout

To automatically revoke user access tokens upon logout when programmatic logout is enabled, complete the following steps.

Procedure

  1. Set the provider_<id>.revokeAccessToken property to true.
  2. If no value is configured for the provider_.discoveryEndpointUrl property, set the provider_.revokeEndpointUrl property to the value of the revoke endpoint on your OIDC provider.
    If the provider_.discoveryEndpointUrl property is configured, the provider_.revokeEndpointUrl property is set up automatically and this step is not required.
  3. Optional: Set the provider_<id>.revokeTokensOnCacheEviction to true.
    When this property is set to true and a revoke endpoint is configured, whenever a session is evicted from a DynaCache instance, the tokens in the session data are revoked.
  4. Optional: Set the alwaysInvalidateAccessTokenOnLogout property to true.
    By default, if an OIDC session cookie is present on a request when a logout is performed, the logout uses only the information that is associated with the OIDC session cookie. If no OIDC session cookie exists, then the logout uses the access token in the Authorization header of the request. If you set the alwaysInvalidateAccessTokenOnLogout property to true, the logout is performed by using information from both the OIDC session cookie and the Authorization header of the request when they both exist.