Enabling programmatic logout for an OpenID Connect Relying Party
You can enable programmatic logout for an application that is secured by the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI). When programmatic logout is enabled, logging out of the application clears any Open ID Connect cookies and Lightweight Third Party Authentication (LTPA) cookies.
Before you begin
This task assumes that your system is enabled to use the OpenID Connect feature. For more information, see Configuring an OpenID Connect Relying Party.
About this task
The OIDC TAI supports logout through the HttpServletRequest.logout()
Java™ method. When this method is called from a URL that is
protected by the OIDC TAI, it clears the LtpaToken2
cookie and the OpenID Connect
cookies. You can also configure the OIDC TAI to revoke any access tokens when this method is
called.
The following procedure provides an example class and the steps to enable OpenID Connect programmatic logout. It shows how to add a logout method to your application and how to configure the OIDC TAI to revoke access tokens.
The HttpServletRequest.logout()
method makes the OIDC TAI remove the information
that is required to log out a single sign-on (SSO) user from the application server. To preserve the
SSO functions, most OpenID Connect providers leave information in the browser that keeps the user
logged in to the OP. Due to this feature, if the user navigates to a URL protected by the OP again,
even though the user logged out of the application server, credentials are not required. The OIDC
TAI recognizes that the user is not logged in to the application server. The request is redirected
to the OP for login, but the OP does not require credentials because the user is still logged in
from its point of view.
To require credentials after the user logs out, more steps are needed to set up RP-initiated logout to log out the user from the OP.
Procedure
Configuring the OIDC TAI to revoke user access tokens upon logout
To automatically revoke user access tokens upon logout when programmatic logout is enabled, complete the following steps.
Procedure
- Set the
provider_<id>.revokeAccessToken
property to true. - If no value is configured for the
provider_<id>.discoveryEndpointUrl
property, set theprovider_<id>.revokeEndpointUrl
property to the value of the revoke endpoint on your OIDC provider.If theprovider_<id>.discoveryEndpointUrl
property is configured, theprovider_<id>.revokeEndpointUrl
property is set up automatically, and this step is not required. - Optional: Set the
provider_<id>.revokeTokensOnCacheEviction
to true.When this property is set to true and a revoke endpoint is configured, whenever a session is evicted from a DynaCache instance, the tokens in the session data are revoked. - Optional: Set the
alwaysInvalidateAccessTokenOnLogout
property to true.By default, if an OIDC session cookie is present on a request when a logout is performed, the logout uses only the information that is associated with the OIDC session cookie. If no OIDC session cookie exists, then the logout uses the access token in the Authorization header of the request. If you set thealwaysInvalidateAccessTokenOnLogout
property to true, the logout is performed by using information from both the OIDC session cookie and the Authorization header of the request when they both exist.