From 3c9f2739796e2a431913d3133342f97e81725827 Mon Sep 17 00:00:00 2001 From: wso2 Date: Tue, 21 May 2024 00:16:06 +0530 Subject: [PATCH 1/3] add back channel logout doc --- .../oidc/add-back-channel-logout.md | 4 + en/identity-server/7.0.0/mkdocs.yml | 1 + .../oidc/add-back-channel-logout.md | 4 + en/identity-server/next/mkdocs.yml | 1 + .../oidc/add-back-channel-logout.md | 75 +++++++++++++++++++ 5 files changed, 85 insertions(+) create mode 100644 en/identity-server/7.0.0/docs/guides/authentication/oidc/add-back-channel-logout.md create mode 100644 en/identity-server/next/docs/guides/authentication/oidc/add-back-channel-logout.md create mode 100644 en/includes/guides/authentication/oidc/add-back-channel-logout.md diff --git a/en/identity-server/7.0.0/docs/guides/authentication/oidc/add-back-channel-logout.md b/en/identity-server/7.0.0/docs/guides/authentication/oidc/add-back-channel-logout.md new file mode 100644 index 0000000000..1bac81a028 --- /dev/null +++ b/en/identity-server/7.0.0/docs/guides/authentication/oidc/add-back-channel-logout.md @@ -0,0 +1,4 @@ +{% set product_name = "WSO2 Identity Server" %} +{% set product_url_format = "https://localhost:9443" %} +{% set product_url_sample = "https://localhost:9443" %} +{% include "../../../../../../includes/guides/authentication/oidc/add-back-channel-logout.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/mkdocs.yml b/en/identity-server/7.0.0/mkdocs.yml index 97c515f758..f78d8eec3d 100644 --- a/en/identity-server/7.0.0/mkdocs.yml +++ b/en/identity-server/7.0.0/mkdocs.yml @@ -434,6 +434,7 @@ nav: - Validate tokens: guides/authentication/oidc/token-validation-resource-server.md - Revoke tokens: guides/authentication/oidc/revoke-tokens.md - Implement logout: guides/authentication/oidc/add-logout.md + - Implement back channel logout: guides/authentication/oidc/add-back-channel-logout.md - Configure SAML flows: - Configure SAML flows: guides/authentication/saml/index.md - Discover SAML endpoints and settings: guides/authentication/saml/discover-saml-configs.md diff --git a/en/identity-server/next/docs/guides/authentication/oidc/add-back-channel-logout.md b/en/identity-server/next/docs/guides/authentication/oidc/add-back-channel-logout.md new file mode 100644 index 0000000000..1bac81a028 --- /dev/null +++ b/en/identity-server/next/docs/guides/authentication/oidc/add-back-channel-logout.md @@ -0,0 +1,4 @@ +{% set product_name = "WSO2 Identity Server" %} +{% set product_url_format = "https://localhost:9443" %} +{% set product_url_sample = "https://localhost:9443" %} +{% include "../../../../../../includes/guides/authentication/oidc/add-back-channel-logout.md" %} \ No newline at end of file diff --git a/en/identity-server/next/mkdocs.yml b/en/identity-server/next/mkdocs.yml index ddb79a6dc3..d50673037d 100644 --- a/en/identity-server/next/mkdocs.yml +++ b/en/identity-server/next/mkdocs.yml @@ -433,6 +433,7 @@ nav: - Validate tokens: guides/authentication/oidc/token-validation-resource-server.md - Revoke tokens: guides/authentication/oidc/revoke-tokens.md - Implement logout: guides/authentication/oidc/add-logout.md + - Implement back channel logout: guides/authentication/oidc/add-back-channel-logout.md - Configure SAML flows: - Configure SAML flows: guides/authentication/saml/index.md - Discover SAML endpoints and settings: guides/authentication/saml/discover-saml-configs.md diff --git a/en/includes/guides/authentication/oidc/add-back-channel-logout.md b/en/includes/guides/authentication/oidc/add-back-channel-logout.md new file mode 100644 index 0000000000..f58e13ea53 --- /dev/null +++ b/en/includes/guides/authentication/oidc/add-back-channel-logout.md @@ -0,0 +1,75 @@ + +{% if product_name == "WSO2 Identity Server" %} +# Implement back-channel logout + +Back-channel logout allows users to be logged out from a client application through direct communication of logout requests between the client application and the authorization server. + +## How it works + +The underlying message flow of OpenID Connect (OIDC) back-channel logout is as follows: + +1. A user logout is initiated by either the client application or the authorization server. +2. The authorization server identifies all client applications associated with the user's session. +3. The authorization server generates a logout token, a special JWT containing specific claims, and sends it with a logout request to the logout endpoints of the identified client applications. +4. Upon receiving the logout token, each client application validates it and then invalidates the corresponding user session. + +## Prerequisites +To get started, you need to: + +- [Register two OIDC application with {{ product_name }}]({{base_path}}/guides/applications/register-oidc-web-app/). Application names used in this guide are `Playground_app1` and `Playground_app2` + +- [Download two instances of the playground application](https://github.com/wso2/samples-is/releases/download/v4.5.2/playground2.war) as this guide uses the playground sample app. Rename the second file as `playground3.war`. + +- Configure the sample applications; + + 1. Copy the downloaded playground.war file into `/apache-tomcat-/webapps` folder. + 2. Start the Tomcat server. + 3. If required, update the `` parameters for the `serverUrl`, `username` and `password` in the `WEB-INF/web.xml` file. + 4. Restart the Tomcat server, if you have done any changes to the `WEB-INF/web.xml` file. + + +## Configure back-channel logout + +To configure back-channel logout: + +1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application. +2. Go to the **Protocol** tab and enter the following URL as the **Back channel logout URL**. + + ``` + http://localhost:8080/playground2/bclogout + ``` + +3. Click **Update** to save your configurations. + +## Try it out + +1. Access the **Playgrpund_app1** application using the following URL: http://localhost:8080/playground2/. + +2. Click **Import Photos**. + +3. Enter the following details: + + | Field name | Value | + |-------------|-------| + | **Authorization Grant Type** | `Implicit` | + | **Client ID** | The OAuth Client ID received when registering the application in WSO2 Identity Server. | + | **Callback URL** | `http://localhost:8080/playground2/oauth2client` | + | **Authorize Endpoint** | `https://localhost:9443/oauth2/authorize` | + +4. Click **Authorize**. You will be redirected to the WSO2 Identity Server login page. + +5. Enter the credentials of your user account and click Sign In. You will now receive an ID Token. + +6. Access the **Playground_app2** application using the follwoing URL: http://localhost:8080/playground3/ + +7. Repeat steps 2-5 for **Playground_app2** application. + +8. Click **Logout** on one of the applications. You will be prompted to consent to the logout. + +9. Provide consent. You will receive confirmation of sucessful logout. + +10. Now, go to the other application and reload the page. Note that you are redirected to the login page of the playground application and you will see that the **Logged in user** has changed to `null`. + +You have successfully configured and tried out OIDC back-channel logout. You can check out the Tomcat logs on the terminal window to see the back-channel logout flow. + +{% endif %} \ No newline at end of file From 9b57e88153e7ecc0e345ec5e6f7f22fedcda171a Mon Sep 17 00:00:00 2001 From: wso2 Date: Tue, 21 May 2024 10:05:38 +0530 Subject: [PATCH 2/3] added implicit grant info --- .../authentication/oidc/add-back-channel-logout.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/en/includes/guides/authentication/oidc/add-back-channel-logout.md b/en/includes/guides/authentication/oidc/add-back-channel-logout.md index f58e13ea53..ad485875c2 100644 --- a/en/includes/guides/authentication/oidc/add-back-channel-logout.md +++ b/en/includes/guides/authentication/oidc/add-back-channel-logout.md @@ -33,14 +33,17 @@ To get started, you need to: To configure back-channel logout: 1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application. -2. Go to the **Protocol** tab and enter the following URL as the **Back channel logout URL**. +2. Go to the **Protocol** tab and enter the following details: - ``` - http://localhost:8080/playground2/bclogout - ``` + | Field Name | Value | + |---------------|-------| + | Grant type | Implicit | + | Back channel logout URL | http://localhost:8080/playground2/bclogout | 3. Click **Update** to save your configurations. +Configure this for both `Playground_app1` and `Playground_app2`. + ## Try it out 1. Access the **Playgrpund_app1** application using the following URL: http://localhost:8080/playground2/. From 8521f00da14fe4a49c1cda5d0f78fb25a86c1d7f Mon Sep 17 00:00:00 2001 From: wso2 Date: Tue, 21 May 2024 11:24:42 +0530 Subject: [PATCH 3/3] added redirect links + minor updates --- en/identity-server/7.0.0/mkdocs.yml | 1 + en/identity-server/next/mkdocs.yml | 1 + .../oidc/add-back-channel-logout.md | 40 +++++++++++++------ 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/en/identity-server/7.0.0/mkdocs.yml b/en/identity-server/7.0.0/mkdocs.yml index f78d8eec3d..59ebd4b74e 100644 --- a/en/identity-server/7.0.0/mkdocs.yml +++ b/en/identity-server/7.0.0/mkdocs.yml @@ -43,6 +43,7 @@ plugins: 'guides/login/webapp-ws-federation.md': 'guides/authentication/enterprise-login/add-iwa-login.md' 'guides/login/sso-for-oidc.md': 'guides/authentication/enterprise-login/add-oidc-idp-login.md' 'guides/login/sso-for-saml.md': 'guides/authentication/enterprise-login/add-saml-idp-login.md' + 'guides/login/oidc-backchannel-logout.md': 'guides/authentication/oidc/add-back-channel-logout.md' 'guides/authentication/enterprise-login/index.md': 'guides/authentication/standard-based-login/index.md' 'guides/authentication/enterprise-login/add-oidc-idp-login.md': 'guides/authentication/standard-based-login/add-oidc-idp-login.md' 'guides/authentication/enterprise-login/add-saml-idp-login.md': 'guides/authentication/standard-based-login/add-saml-idp-login.md' diff --git a/en/identity-server/next/mkdocs.yml b/en/identity-server/next/mkdocs.yml index d50673037d..1121060a83 100644 --- a/en/identity-server/next/mkdocs.yml +++ b/en/identity-server/next/mkdocs.yml @@ -43,6 +43,7 @@ plugins: 'guides/login/webapp-ws-federation.md': 'guides/authentication/enterprise-login/add-iwa-login.md' 'guides/login/sso-for-oidc.md': 'guides/authentication/enterprise-login/add-oidc-idp-login.md' 'guides/login/sso-for-saml.md': 'guides/authentication/enterprise-login/add-saml-idp-login.md' + 'guides/login/oidc-backchannel-logout.md': 'guides/authentication/oidc/add-back-channel-logout.md' 'guides/authentication/enterprise-login/index.md': 'guides/authentication/standard-based-login/index.md' 'guides/authentication/enterprise-login/add-oidc-idp-login.md': 'guides/authentication/standard-based-login/add-oidc-idp-login.md' 'guides/authentication/enterprise-login/add-saml-idp-login.md': 'guides/authentication/standard-based-login/add-saml-idp-login.md' diff --git a/en/includes/guides/authentication/oidc/add-back-channel-logout.md b/en/includes/guides/authentication/oidc/add-back-channel-logout.md index ad485875c2..3a081eea88 100644 --- a/en/includes/guides/authentication/oidc/add-back-channel-logout.md +++ b/en/includes/guides/authentication/oidc/add-back-channel-logout.md @@ -27,22 +27,31 @@ To get started, you need to: 3. If required, update the `` parameters for the `serverUrl`, `username` and `password` in the `WEB-INF/web.xml` file. 4. Restart the Tomcat server, if you have done any changes to the `WEB-INF/web.xml` file. - ## Configure back-channel logout -To configure back-channel logout: +- To configure back-channel logout for `Playground_app1`: + + 1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application. + 2. Go to the **Protocol** tab and enter the following details: + + | Field Name | Value | + |---------------|-------| + | Grant type | Implicit | + | Back channel logout URL | http://localhost:8080/playground3/bclogout | -1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application. -2. Go to the **Protocol** tab and enter the following details: + 3. Click **Update** to save your configurations. - | Field Name | Value | - |---------------|-------| - | Grant type | Implicit | - | Back channel logout URL | http://localhost:8080/playground2/bclogout | +- To configure back-channel logout for `Playground_app2`: -3. Click **Update** to save your configurations. + 1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application. + 2. Go to the **Protocol** tab and enter the following details: -Configure this for both `Playground_app1` and `Playground_app2`. + | Field Name | Value | + |---------------|-------| + | Grant type | Implicit | + | Back channel logout URL | http://localhost:8080/playground2/bclogout | + + 3. Click **Update** to save your configurations. ## Try it out @@ -55,7 +64,7 @@ Configure this for both `Playground_app1` and `Playground_app2`. | Field name | Value | |-------------|-------| | **Authorization Grant Type** | `Implicit` | - | **Client ID** | The OAuth Client ID received when registering the application in WSO2 Identity Server. | + | **Client ID** | The OAuth Client ID received when registering the Playground_app1 in WSO2 Identity Server. | | **Callback URL** | `http://localhost:8080/playground2/oauth2client` | | **Authorize Endpoint** | `https://localhost:9443/oauth2/authorize` | @@ -65,7 +74,14 @@ Configure this for both `Playground_app1` and `Playground_app2`. 6. Access the **Playground_app2** application using the follwoing URL: http://localhost:8080/playground3/ -7. Repeat steps 2-5 for **Playground_app2** application. +7. Repeat steps 2-5 for **Playground_app2** application with the following values: + + | Field name | Value | + |-------------|-------| + | **Authorization Grant Type** | `Implicit` | + | **Client ID** | The OAuth Client ID received when registering the Playground_app2 in WSO2 Identity Server. | + | **Callback URL** | `http://localhost:8080/playground3/oauth2client` | + | **Authorize Endpoint** | `https://localhost:9443/oauth2/authorize` | 8. Click **Logout** on one of the applications. You will be prompted to consent to the logout.