Hi all, Currently I'm working on OpenID Connect BackChannel Logout project.
*Objective:* OpenID Connect specifies 3 mechanisms for logout and WSO2 Identity Server support only one of those mechanism (OpenID Connect Session Management). 1. Front-channel 2. Back channel 3. Session management Currently IS supports SLO using OpenID Connect Session management. Objective of this project is to implement the OpenID Connect Back-Channel Logout specification for Identity Server. Advantages of: Back-channel communication can be more reliable than communication through the User Agent. This back-channel logout should be an OP initiated logout. So the diagram below shows how it should work. *Steps: * 1. RP registers a back-channel logout uri. 2. Insert sid claim in ID token which indicates the session of that RP. 3. Store sid value which is same for a particular browser session. 4. When logout request comes from a particular browser session, create a logout token with sid claim. 5. Send the logout token to RP's logout endpoint. 6. RP needs to validate the logout token. *How it works* *ID Token building process in OIDC Back-Channel Logout* Here I have implemented a supplementary OSGI service to add claims to ID token. *Back-Channel Logout mechanism for Implicit flow* ** **In back-channel logout implicit flow, I'm storing sid claim in OIDCSession Store in such a way that all RPs belong to same browser session will have the same sid value. When logout request comes from a RP, then OP will find the sid value belongs to that session. Then OP will generate Logout token for all RPs belong to the same browser session by inserting sid claim. After logout token is generated, OP will send logout token to the registered logout endpoint of all RPs. Back-Channel Logout mechanism for Authorization Code flow is currently in progress. Feedback on this progress is appreciated. Reference: http://openid.net/specs/openid-connect-backchannel-1_0.html Thanks, -- *Piraveena Paralogarajah* Intern- Software Engineering | WSO2 *Email *: [email protected] *Blog* : https://medium.com/@piraveenaparalogarajah *Mobile* : +94776099594 <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
