Configuring OpenID Connect Backchannel Logout on WSO2 Identity Server
The OpenID Connect specifications provides three methods for Single Logout (SLO) of an End-User from all the logged-in applications.
- OIDC Session Management
- OIDC Backchannel Logout
- OIDC Frontchannel Logout
WSO2 Identity Server now supports all three types of logout specified by OpenID Connect. Session Management is enabled by default for all Service Providers and users (admins) are also provided with a choice between Backchannel and Frontchannel logout mechanisms.
If you need more information on OIDC Backchannel Logout, see here.
By reading this blog post, you will be able to learn the following,
1. How to configure OIDC Backchannel logout on WSO2 Identity Server
2. How to test the OIDC Backchannel logout functionality using the sample Playground2 app
How to configure OIDC Backchannel logout on WSO2 Identity Server
- Download WSO2 Identity Server version 5.8.0 or above from here, or clone this repo and build the product without running tests (as this would be heavily time consuming) using the following command:
mvn clean install -Dmaven.test.skip=true
2. Go the $product-is-source > bin. Open a terminal from this directory and run
./wso2server.sh. The server will be up and running in a short while.
3. Go to the Management Console (https://localhost:9443/carbon/).
4. Click on Add in the Service Providers menu and register a new service provider as ‘playground2’.
5. Go to Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure. Provide a Callback URL, and select OIDC Backchannel Logout in the Logout Mechanisms options and provide the Backchannel logout endpoint URL of the service provider application as well. We will be registering the information of the sample playground2 app, which will serve as a prerequisite for the next part of this blog post as well.
callback url: http://localhost:8080/playground2/oauth2clientbackchannel logout url: http://localhost:8080/playground2/bclogout
6. Check the Resident Identity Provider details in the Management Console. At the bottom of OpenID Connect Configuration list, the Logout Endpoint URL of the Identity Provider is mentioned. This is the endpoint that gets called when logout is triggered from a service provider.
How to test the OIDC Backchannel logout functionality using the sample playground2 app
To test the OIDC Backchannel logout functionality, we will be using the sample playground2 app which comes with the wso2-is pack.
The playground2 app can be found in the following directory,
$product-is-source > modules > samples > oauth2> playground2> target
Get the playground2.war file and deploy 2 instances in Tomcat — named playground2.war and playground3.war. Follow the previous instructions set and register 2 Service Providers for the 2 apps with their respective Callback URLs and Logout Endpoint URLs.
Invoke http://localhost:8080/playground2/ url and you should see the following page.
Using Implicit Flow
- Click on Import Photos and enter the following details and click Authorize.
Authorization Grant Type :
implicitClient Id :
Client ID of the playground2 applicationScope :
openidImplicit Response Type :
ID token only or ID token and access tokenCallback URL :
Some of the fields may have already been filled.
2. The Login Page of the Identity Provider will be prompted. Provide the username and password (admin, admin respectively by default) and sign in.
3. You will be redirected to a Consent page. Provide the required consents and click Approve. You are now logged in as admin to the playground2 app.
4. Repeat the same procedure for the playground3 app as well.
6. Click on Logout from one of the apps. You will be directed to the consent page of the IDP. Upon consenting the logout, you will be given confirmation that you have been logged out of the IDP. Go to the page of the other playground app and reload the page. You will see the login page of the playground app and Logged in user as null.
You have now been logged out using OIDC Backchannel Logout! Check the Tomcat logs to see the Backchannel logout flow.