By: Stephen LAI user 22 May 2017 at 2:37 a.m. CDT

5 Responses
Stephen LAI gravatar
I have two applications (App-A and App-B) using a Gluu server for Single Sign On with OpenID Connect. When a user logs out the first application (App-A), the application uses the link https://gluu.appcara.com/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=[id_token] to log out the Gluu server also. I wonder what is the advised approach to log out the second application (App-B) at the same time. I have visited the web page "Single Logout (SLO)" (https://gluu.org/docs/ce/latest/operation/logout/). However, I have not yet found what I should do.

By Yuriy Zabrovarnyy staff 22 May 2017 at 2:59 a.m. CDT

Yuriy Zabrovarnyy gravatar
Please look at front-channel logout spec ``` http://openid.net/specs/openid-connect-frontchannel-1_0.html ``` Basically both app-A and app-B should register `frontchannel_logout_uri`. If call this uri application must log itself out (clear state). From here if app-A calls /end_session endpoint it returns html page with iframes which loads all `frontchannel_logout_uri` and force to logout app-B too (and all other apps that take part in this SSO session).

By Stephen LAI user 22 May 2017 at 3:36 a.m. CDT

Stephen LAI gravatar
Thanks for the reply from Yuriy. At the time I studied the web page "Single Logout (SLO)" (https://gluu.org/docs/ce/latest/operation/logout/), I have already read "OpenID Connect Front-Channel Logout 1.0 - draft 02" (http://openid.net/specs/openid-connect-frontchannel-1_0.html) and "OpenID Connect Session Management 1.0 - draft 28" (http://openid.net/specs/openid-connect-session-1_0.html). However, I just cannot manage how App-A gets the logout url of App-B in order to log it out also. Moreover, Front Channel Logout URI of the applications have been registered with the Gluu server (this has been double confirmed with oxTrust).

By Yuriy Zabrovarnyy staff 22 May 2017 at 3:48 a.m. CDT

Yuriy Zabrovarnyy gravatar
Workflow is following: - app-A - registers frontchannel_logout_uri_1 - app-B - registers frontchannel_logout_uri_2 - app-A - login to AS - app-B - login to AS (SSO) - app-A - calls /end_session - AS - returns back HTML with iframes where each iframe points to all frontchannel_logout_uris within this session, in our case it is `frontchannel_logout_uri_1` and `frontchannel_logout_uri_2` - browser load HTML (with all iframes means that it calls `frontchannel_logout_uri_1` and `frontchannel_logout_uri_2`) app-A does not know anything about `frontchannel_logout_uri_2`, it just calls `/end_session` endpoint and it's responsibility of AS to track it and return correct HTML page with iframes (once iframe is loaded, it means that `frontchannel_logout_uri_2` is called and app-B must log itself out). I hope it is more clear now. Thanks, Yuriy

By Stephen LAI user 22 May 2017 at 3:54 a.m. CDT

Stephen LAI gravatar
Thanks for further information provided by Yuriy. I shall further test it according to the newly provided information.

By Stephen LAI user 24 May 2017 at 1:50 a.m. CDT

Stephen LAI gravatar
Thanks for further information provided by Yuriy. I can now get things done.