OpenID Connect Logout URL Redirection

WSO2 Identity Server allows you to construct a logout URL so that an application can redirect to a particular logout page when the relying party (RP) sends an OpenID Connect (OIDC) logout request.

Follow the steps below to send an OIDC logout request:

1. Download and install WSO2 Identity Server. For detailed information on how to install WSO2 IS, see Installing the Product.

2.  Access the Management Console via https://localhost:9443/carbon/.

3. Navigate to Service Providers > List and Edit the service provider that you created for the OAuth2 application.

4. Edit the Callback URL field and enter a logout URL along with the callback URL that you defined when you created the service provider. 

   regexp=(callback_url|logout_url)

   You can specify multiple callback URLs using a regex pattern as follows:

   Example

   regexp=(http://localhost:8080/playground2/oauth2client|http://localhost:8080/playground2/logout)

5. Use the following cURL command to retrieve the id_token using the client id, client secret, and authorization code:

   curl -k -v --user <client_id>:<client_secret> -d "grant_type=authorization_code&code=<authorization_code>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token

   Example

   curl -k -v --user IaWVc3g4eemSnbWwekBg79xudZMa:PL9PxKPqGZxkpJ8X8u7g8pA_ruoa -d "grant_type=authorization_code&code=ac1b2e9e-d8d0-3f42-bdd4-dc7aab45b5dc&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token

6. Use the retrieved id_token in the following URL to logout from the identity provider and redirect to a URL in the RP.

   https://localhost:9443/oidc/logout?id_token_hint=<id_token>&post_logout_redirect_uri=<redirect URI>&state=<state>

   
   
   Following are the parameters you need to specify in the URL:

   Parameter	Description	Required
   idp_url	The OIDC logout endpoint URL.	Yes
   id_token_hint	The id_token returned by the identity provider.	Yes
   post_logout_redirect_uri	The URL to be redirected to when logging out. The value defined here should be the same as the callbackURI of the client application. If you do not specify a value for the post_logout_redirect_uri parameter, users are redirected to the default logout success page of WSO2 Identity Server.	Yes
   state	The parameter passed from the application to the identity provider to maintain any state information. This is used to correlate the logout requests and responses. If the state parameter is defined as state_1, the logout request and response both have state_1 in them. This makes it easy for the client to identify the request and responses.	No

   Example

   https://localhost:9443/oidc/logout?id_token_hint=eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiWVZwM3JsX21vOThvVURveUMyNVJQZyIsInN1YiI6ImFkbWluIiwiYXVkIjpbIklhV1ZjM2c0ZWVtU25iV3dla0JnNzl4dWRaTWEiXSwiYXpwIjoiSWFXVmMzZzRlZW1TbmJXd2VrQmc3OXh1ZFpNYSIsImF1dGhfdGltZSI6MTUwNDU5NDUyNCwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTA0NTk4MTUxLCJpYXQiOjE1MDQ1OTQ1NTF9.KfLa7_QkhJ3yZ1gfv6ZVh6bNkeQB1wUVp914Ek4MVnS-kXkJvBBqe6wqamp3RezNgRxsW59M-GKJUymJjalBGHPu3IglyssiubWOlXlAtkAL13n3B1tpWYwbkgkarI5elmxTwRU4yqsCRbu4T77sWmiIhTtnPEEyBMkhuQioU68&post_logout_redirect_uri=http://localhost:8080/playground2/logout&state=state_1

Sending a POST request as the OIDC logout request

Let's take a look at a sample scenario to understand how to send an OIDC logout request as a POST request.

Consider a scenario where a service provider builds an HTML page with the required parameters to render a page in a browser. This scenario requires an OIDC logout request sent as a POST request to the logout endpoint.

Following is a sample HTML form with the parameters you need to specify when you send an OIDC logout request as a POST request:

<html>
	<body>
        	<p>OIDC_LOGOUT_POST</p>
        	<form method='post' action='$idp_url'>
                    <input type='hidden' name='id_token_hint' value='$id_token'/>
                    <input type='hidden' name='post_logout_redirect_uri' value='$callback'/>
                    <input type='hidden' name='state' value='$state'/>
        	    <button type='submit'>POST</button>
       		</form>
       		<script type='text/javascript'>
        		document.forms[0].submit();
        	</script>
        </body>
</html>

For descriptions of all the parameters that you need to specify in the POST request, see the parameter descriptions given above.

Following is the sample HTML form with sample parameter values to render the page in a browser:

<html>
	<body>
        	<p>OIDC_LOGOUT_POST</p>
        	<form method='post' action='https://localhost:9443/oidc/logout'>
       			<p>
                       <input type='hidden' name='id_token_hint' value='eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJuNUFndEFqRmhUZXVybjE4MzhqaTMwbWhUbUFhIl0sImF6cCI6Im41QWd0QWpGaFRldXJuMTgzOGppMzBtaFRtQWEiLCJhdXRoX3RpbWUiOjE1MjIwNTI4NDYsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTUyMjA1NjQ0Nywibm9uY2UiOiIxMjMzNDIzNCIsImlhdCI6MTUyMjA1Mjg0N30.g2oSoC_D88XBjN81Lgx0DmOFELO_lXVXTu2YwbZOQGiCJyJLCjwW_Q0UJimBG-ZZIJo5sPj5yrHi5wB9r-Dkr_9QOsgQc7YpiZ0hGw3x53tttxaA655kHuZCsFSJDY7nIsfH-d9Yhi-p4arfdwrrMpcvkwVoLwca1M3-1j9v3LU'/>
                    <input type='hidden' name='post_logout_redirect_uri' value='https://localhost/callback'/>
                    <input type='hidden' name='state' value='zzdfdsfdfdfd'/>
        			<button type='submit'>POST</button>
       		     </p>
       		</form>
       		<script type='text/javascript'>
        		document.forms[0].submit();
        	</script>
        </body>
</html>