By: Philip Feliprada user 26 Feb 2018 at 6:48 a.m. CST

4 Responses
Philip Feliprada gravatar
My scenario: I have multiple apps and I am able to logout by calling https://gluu.alliance.com.ph/oxauth/restv1/end_session?id_token=[id_token] and everything works fine every page logs out as expected. Desired Output: When I logout in one of my Apps lets say App-A I would also like to force logout my other Apps lets say App-B and App-C as well. For example I logged out in App-A then I access some screens in App-B I must be redirected to Gluu's log in page directly and I must be unable to access some screens in App-B for the reason that I already logged out in App-A. I have red these articles (http://openid.net/specs/openid-connect-frontchannel-1_0.html) (https://gluu.org/docs/ce/3.1.2/operation/logout/) (https://support.gluu.org/single-sign-on/4128/front-channel-logout-uri-for-slo/) (https://support.gluu.org/single-sign-on/4117/single-logout/) but still cant get things to work on my side. I saw this line said by Yuriy Zabrovarnyy "From here if app-A calls /end_session endpoint it returns html page with iframes which loads all frontchannel_logout_uri and force to logout app-B too (and all other apps that take part in this SSO session)". Which led me to my questions which are: How does frontchannel_logout_uri works?(more detailed than the posted explanation if ever.. :D) How can I implement it with my clients in Gluu?(is it simply adding an uri in frontchannel_logout_uri field?) Does implementing frontchannel_logout_uri help me achieve my desired output? Btw, I have registered a "Post Logout Redirect URIs" and my Apps gets redirected correctly after calling /end_session. Regards, Philip

By Aliaksandr Samuseu staff 26 Feb 2018 at 6:51 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Philip. >I saw this line said by Yuriy Zabrovarnyy "From here if app-A calls /end_session endpoint it returns html page with iframes which loads all frontchannel_logout_uri and force to logout app-B too (and all other apps that take part in this SSO session)". That's a good summary of the process. As you mentioned you've read the spec itself, I'm not sure what else here to add. All your apps must support the spec for the whole thing to work. When user initiates logout at one of those apps, it will first have to send them for logout to Gluu, the way you described at the beginning of your post: > I am able to logout by calling https://gluu.alliance.com.ph/oxauth/restv1/end_session?id_token=[id_token] When user's session at Gluu is explicitly terminated this way, at some point user will be redirected to a special page with iframe containing logout url(s) for OIDC client(s) which registered its "Front Channel Logout URI" at Gluu (thus notifying Gluu they support this spec and want to utilize it). Here is an example source code of that page: ``` <!DOCTYPE html><html><head><script>window.onload=function() {window.location='http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb'}</script><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/><iframe height="0" width="0" src="http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e"></iframe></body></html> ``` If there are several such clients, this page will contain several logout urls, and they all will be requested by their browser. From the moment "http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e" is requested by user's browser, it's responsibility of the RP to end user's session there. Please note we don't provide support for custom client's development, but you can find more details in the spec you mentioned.

By Philip Feliprada user 26 Feb 2018 at 8:15 p.m. CST

Philip Feliprada gravatar
Thank you for your kind response! If my understanding is correct this is your Post Logout Redirect URI ('http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb') and this is the frontchannel_logout_uri (http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e) you registered in one of your clients. So if I request "https://gluu.alliance.com.ph/oxauth/restv1/end_session?id_token=[id_token]" the user will be redirected to a special page which may look like this: <!DOCTYPE html><html><head><script>window.onload=function() {window.location='http://oidc-js.site:5000/user-manager-sample.html?state=90689c938f8140c6b53da53e25c4abfb'}</script><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/><iframe height="0" width="0" src="http://oidc-js.site:5000/user-manager-sample-logout-fake-url.html?sid=3c510a9b-9425-4b83-9e93-8538a3a49c7e"></iframe></body></html> before the user will be redirected to the Post Logout Redirect URI(As of now in my progress I'm currently here I also saw this "Gluu Generated logout page" before going to my post logout redirect URI but back then I have no idea what it is :D). To continue so these frontchannel_logout_uri which are in iframes are the ones responsible in telling Gluu that the user has logged out in the app then Gluu will force logout the other applications? Is that how frontchannel_logout_uri works? but, I tried not to put frontchannel_logout_uri in one of the client and the session still got ended. Correct me if I'm wrong because I'm quite confused on what is the purpose of frontchannel_logout_uri. Hoping for your patience.

By Philip Feliprada user 22 Mar 2018 at 2:20 a.m. CDT

Philip Feliprada gravatar
Hi Guys, Was able to find a way on how to implement my Desired logout flow. Thanks for the support! Will close this ticket now.

By Modjo Kamneng user 19 Jun 2019 at 1:56 p.m. CDT

Modjo Kamneng gravatar
Hi Philip, I'm evaluating gluu for our SSO and I'm having hard time figuring out the best way to implement the logout as in your scenario! Would you mind sharing how you end up implementing it? Thank you, Modjo