Hi all,

Currently I'm working on OpenID Connect BackChannel Logout project.

*Objective:*
OpenID Connect specifies 3 mechanisms for logout and WSO2 Identity Server
support only one of those mechanism (OpenID Connect Session Management).
1. Front-channel
2. Back channel
3. Session management

Currently IS supports SLO using OpenID Connect Session management. Objective
of this project is to implement the OpenID Connect Back-Channel Logout
specification for Identity Server.

Advantages of:
Back-channel communication can be more reliable than communication through
the User Agent.


This back-channel logout should be an OP initiated logout. So the diagram
below shows how it should work.


​*Steps: *

   1. RP  registers a back-channel logout uri.
   2. Insert sid claim in ID token which indicates the session of that RP.
   3. Store sid value which is same for a particular browser session.
   4. When logout request comes from a particular browser session, create a
   logout token with sid claim.
   5. Send the logout token to RP's logout endpoint.
   6. RP needs to validate the logout token.


*How it works*

*ID Token building process in  OIDC Back-Channel Logout*


​Here I have implemented a supplementary OSGI service to add claims to ID
token.

*Back-Channel Logout mechanism for Implicit flow*


*​*

*​*In back-channel logout implicit flow, I'm storing sid claim in
OIDCSession Store in such a way that all RPs belong to same browser session
will have the same sid value. When logout request comes from a RP, then OP
will find the sid value belongs to that session. Then OP will generate
Logout token for all RPs belong to the same browser session by inserting
sid claim. After logout token is generated, OP will send logout token to
the registered logout endpoint of all RPs.

Back-Channel Logout mechanism for Authorization Code flow is currently in
progress.

Feedback on this progress is appreciated.

Reference:
http://openid.net/specs/openid-connect-backchannel-1_0.html

Thanks,

-- 
*Piraveena Paralogarajah*
Intern- Software Engineering | WSO2
*Email *: [email protected]
*Blog* : https://medium.com/@piraveenaparalogarajah
*Mobile* : +94776099594
<http://wso2.com/signature>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Reply via email to