Back-Channel Logout specification

[herchila]

Hi!

Is there any possibility to implement Back-Channel Logout? https://openid.net/specs/openid-connect-backchannel-1_0.html

Cheers, Hernán

[karambir]

A simple but working implementation is done by me here https://github.com/karambir/django-oidc-provider

I am using the that package with oidc client: https://github.com/karambir/mozilla-django-oidc

Back-channel logout basically needs to store something to identify session so that clients can also logout on their side. For django it is little bit tricky. I am doing following:

1. On OP side, each token issued has session id(sid) associated when created.
2. On RP side, each session has id_token saved in it.
3. When a logout occurs(it can be initiated by OP or one RP), the OP collects all the Token objects associated by that session id and from there all clients are collected with related session ids. The inital RP which called logout and other RPs which do not support backchannel_logout_uri are excluded from this.
4. For each client, we create logout tokens and requests are made to all the RP.
5. On RP side, it just saves the id_token in redis data structure called logged_out_op_tokens. It does not log out at that time.
6. Now for each request at RP, we check the session with middleware and if it has id_token saved in it and if that token is also in redis logged_out_op_tokens, then RP logs out.

Above two packages are complete, you just have to implement do_back_channel_logout function in points 3,4 and add it to OIDC provider setting OIDC_AFTER_END_SESSION_HOOK

Though these are being used at two OPs with medium to high traffic with more than 5 clients each, I think we can find better ways to do back-channel logout with Django. (Also the specs is still not stable and it needs a lot of context on how your user sessions are being managed, so never made PR here)