Kong OIDC Plugin RP Initiated Logout and Backchannel logout
- Kalidass Mookkaiah
- Feb 7, 2024
- 2 min read
OpenId Connect specification has details of logout function.
Kong gateway OpenID Connect plugin support logout functionality mostly useful with the session authentication with authorization code flow.
As part of logout Kong OIDC plugin implements
RP initiated logout
Kong as of 3.5.X does not support
Backchannel logout
What is RP and OP
RP relying party that for simplicity purpose is the application where user is.
OP is OpenID Provider for simplicity is the IDP (Identity Provider)
What is RP Initiated Logout
This is where the user does the logout and wants to remove the session stored in Kong and logout from the IDP.
Use Kong for RP Initiated Logout
In Kong you might have a route like /a/b
On this route if there is OIDC plugin configured, you would need to configure
logout_uri_suffix=/logout
logout_methoss=POST
logout_revoke=trueThe application will have to call the api endpoint to start the logout /a/b/logout
What Kong will do
Kong will identify the session based on the user session passed to Kong.
Kong will remove the stored session from Kong cache.
Kong will call the IDP end_session_endpoint is present in the discovery end point and pass the id-token as hint to remove the session from IDP as well
If end_session_endpoint is missing, kong will not call the IDP
What is Backchannel Logout
Backchannel logout in siple terms is, if user logs out from one application, user be logged out from all application where the user has logged as well.
How does it work?
1 RP send a logout to OP (IDP)
The OP will send logout to all the RPs in the backchannel
All the RPs that received the logout will logout as well
A good article to explain backchannel logout is present here
Kong support for backchannel logout
Kong currently does not out of box support backchannel logout as Kong gateway can not receive the backchannel message from the OP or IDP.