[jira] [Assigned] (SLING-13119) Implement OIDC Single Logout (SP-Initiated Logout URL) in Sling OIDC Authentication Handler

Mon, 16 Feb 2026 07:45:20 -0800 


     [ 
https://issues.apache.org/jira/browse/SLING-13119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nicola Scendoni reassigned SLING-13119:
---------------------------------------

    Assignee: Nicola Scendoni

> Implement OIDC Single Logout (SP-Initiated Logout URL) in Sling OIDC 
> Authentication Handler
> -------------------------------------------------------------------------------------------
>
>                 Key: SLING-13119
>                 URL: https://issues.apache.org/jira/browse/SLING-13119
>             Project: Sling
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Nicola Scendoni
>            Assignee: Nicola Scendoni
>            Priority: Major
>
> *Description:*
> Enhance the Sling OIDC Authentication Handler to support *OIDC Single Logout 
> (RP/SP-Initiated Logout)* by implementing the OpenID Connect RP-Initiated 
> Logout specification.
> The goal is to allow Sling (Relying Party) to initiate logout at the OpenID 
> Provider (OP) and ensure the user session is properly terminated both locally 
> and at the Identity Provider.
> *Scope of Work:*
>  * Implement support for end_session_endpoint discovery from the OIDC 
> provider metadata
>  * Add configuration support for:
>  ** post_logout_redirect_uri
>  ** Optional id_token_hint
>  * Implement redirect flow to OP logout endpoint
>  * Ensure local Sling session invalidation before/after redirect (as 
> appropriate)
>  * Handle state validation (if applicable)
>  * Ensure compatibility with existing authentication flows
> *Acceptance Criteria:*
>  * When logout is triggered in Sling, user is redirected to the OP 
> end_session_endpoint
>  * OP session is terminated successfully
>  * User is redirected back to configured post_logout_redirect_uri
>  * Local Sling session is fully invalidated
>  * Feature is configurable and backward compatible
>  * Proper error handling if OP does not expose end_session_endpoint
> *Out of Scope:*
>  * Back-channel logout
>  * Front-channel logout (iframe-based) unless explicitly required
> *Technical Notes:*
>  * Follow [OpenID Connect RP-Initiated Logout 
> 1.0|https://openid.net/specs/openid-connect-rpinitiated-1_0.html]
>  * Ensure thread safety and no regression in clustered environments
>  * Add integration test with a compliant OIDC provider (e.g., Keycloak)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to