TODO: under construction
File(s): conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Spring Properties
Overview
Since OP version 4.1, the OIDC.Logout profile configuration beans bean enables support for the OIDC logout specifications that cover the two halves:
...
Similarly to the SAML logout, the propagation step works in the same way regardless of how the logout is initiated (see LogoutConfiguration ).
Configuration
Profile configurations
In addition to the OIDC.Logout bean, make sure to enable OAUTH2.Revocation bean to enable token revocation during the logout process (see documentation for the revokeTokens -property below).
Required IdP properties
Similarly to the SAML logout, the following global configuration properties need to be set to true:
...
Expand |
---|
|
Options specific to the OIDC Logout flow: Name | Type | Description |
---|
encryptionOptional | Boolean | Whether to automatically disable back-channel logout token encryption if the relying party does not possess a suitable key (defaults to true). | preferFrontChannel | Boolean | Whether to prefer front-channel logout propagation if both front and back -channel URIs are defined in the RP metadata (defaults to true). | frontChannelSuccess | Boolean | Whether to consider front-channel logout propagation success in the propagation UI (defaults to false). | revokeTokens | Boolean | Whether to revoke the access and refresh tokens related to the session (defaults to true). Note that the OAUTH2.Revocation profile must be enabled for the RP. | requireIdTokenHint | Boolean | Whether to require the use of id_token_hint parameter in the RP-initiated logout request. | logoutHintMatchingStrategy | BiPredicate< String, SPSession > | A bi-predicate for matching the logout_hint parameter with an SPSession (defaults to always return false). |
The following properties can be used to globally control settings above: TODO property 1 TODO property 2idp.oidc.logout.encryptionOptional idp.oidc.logout.preferFrontChannel idp.oidc.logout.frontChannelSuccess idp.oidc.logout.revokeTokens idp.oidc.logout.requireIdTokenHint idp.oidc.logout.logoutHintMatchingStrategy
The global bean shibboleth.oidc.logout.LogoutTokenTypeLookupStrategy (Function<MessageContext, String> ) can be defined for replacing the default logic for naming back-channel logout tokens. By default their type is always logout+jwt as recommended by the specification. |