OpenID Connect logout
The new 4.7 release of the OAuth 2.0 / OpenID Connect SDK adds support for making logout requests, as specified in section 5 of the OpenID Connect Session Management 1.0 document (draft 22).
Note that relying-party initiated logout is optional and will not work unless the OpenID Connect provider supports it. This is typically advertised in the JSON metadata that the IdP server publishes at its discovery endpoint.
The logout request serves two purposes:
To notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application).
The OpenID Connect provider should also ask the end-user whether their want to log out of the provider as well.
Logout works by directing the user's browser to the end-session endpoint of the OpenID Connect provider, with the logout request parameters encoded in the URL query string.
The identity of the user to logout is specified by their ID token (obtained at
login), set in the id_token_hint parameter.
For example:
https://c2id.com/logout?id_token_hint=eyJhbGciOiJSUzI1NiJ9.eyJpc3Mi...
The relying party may also specify a post-logout redirection URI (which must
have been registered, see the client registration spec for more details) with
an optional state parameter:
https://c2id.com/logout?id_token_hint=eyJhbGciOiJSUzI1NiJ9.eyJpc3Mi...
&post_logout_redirect_uri=https%3A%2F%2Fclient.example.org%2Fpost-logout
&state=af0ifjsldkj
To construct a simple logout request with the SDK:
import java.net.URI;
import com.nimbusds.jwt.JWT;
import com.nimbusds.openid.connect.sdk.LogoutRequest;
// The end-session endpoint
URI endSessionEndpoint = new URI("https://c2id.com/logout");
// The previously obtained ID token for the end-user
JWT idToken = ...
// Create logout request
LogoutRequest logoutRequest = new LogoutRequest(endSessionEndpoint, idToken);
// Compose URI
URI logoutURI = logoutRequest.toURI();
// Send browser to logout URI...
To construct a logout request with a post-logout redirection (and no state):
import java.net.URI;
import com.nimbusds.jwt.JWT;
import com.nimbusds.openid.connect.sdk.LogoutRequest;
// The end-session endpoint
URI endSessionEndpoint = new URI("https://c2id.com/logout");
// The previously obtained ID token for the end-user
JWT idToken = ...
// The post-logout redirection URL
URI postLogoutTarget = new URI("https://client.example.com/login");
// Create logout request
LogoutRequest logoutRequest = new LogoutRequest(endSessionEndpoint, idToken, postLogoutTarget, null);
// Compose URI
URI logoutURI = logoutRequest.toURI();
// Send browser to logout URI...
Now that support for logout has been added to the OpenID Connect SDK the Connect2id server will follow suit in one of its next releases.
To get the JAR for version 4.7 of the OpenID Connect SDK proceed to the download page.
If you're using Maven for your project:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
<version>4.7</version>
</dependency>
Drop us a comment below or alternatively write to support should you have any questions about logout usage or OpenID Connect in general. We'll be glad to help you out.