Enabling programmatic logout for an OpenID Connect Relying Party

You can enable programmatic logout for an application that is secured by the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI). When programmatic logout is enabled, logging out of the application clears any Open ID Connect cookies and Lightweight Third Party Authentication (LTPA) cookies.

Before you begin

This task assumes that your system is enabled to use the OpenID Connect feature. For more information, see Configuring an OpenID Connect Relying Party.

About this task

The OIDC TAI supports logout through the HttpServletRequest.logout() Java™ method. When this method is called from a URL that is protected by the OIDC TAI, it clears the LtpaToken2 cookie and the OpenID Connect cookies. You can also configure the OIDC TAI to revoke any access tokens when this method is called.

The following procedure provides an example class and the steps to enable OpenID Connect programmatic logout. It shows how to add a logout method to your application and how to configure the OIDC TAI to revoke access tokens.

Avoid trouble:

The HttpServletRequest.logout() method makes the OIDC TAI remove the information that is required to log out a single sign-on (SSO) user from the application server. To preserve the SSO functions, most OpenID Connect providers leave information in the browser that keeps the user logged in to the OP. Due to this feature, if the user navigates to a URL protected by the OP again, even though the user logged out of the application server, credentials are not required. The OIDC TAI recognizes that the user is not logged in to the application server. The request is redirected to the OP for login, but the OP does not require credentials because the user is still logged in from its point of view.

[8.5.5.23 or later]To require credentials after the user logs out, more steps are needed to set up RP-Initiated Logout to log out the user from the OP.

Procedure

  1. Develop a logout endpoint to include with your application that is protected by the TAI, as shown in the following example: 
    import java.io.IOException;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class OIDCLogoutServlet extends HttpServlet implements Servlet {
        public LogoutServlet() {
                super();
        }

        protected void doGet(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
                doPost(arg0,arg1);
        }
        protected void doPost(HttpServletRequest req, HttpServletResponse rsp) throws ServletException, IOException {
req.logout();
  }
}
  2. Configure the new logout URL that you developed in the previous step to be intercepted by the OIDC TAI.
    1. Log in to the WebSphere® Application Server administrative console.
    2. Click Security > Global security.
    3. Expand Web and SIP security.
    4. Click Trust association > Interceptors.
    5. Click com.ibm.ws.security.oidc.client.RelyingParty.
    6. Ensure that the combination of values of the following three properties intercept the URL that calls the HTTPServletRequest.logout() method:
      • provider_.filter
      • provider_.interceptedPathFilter
      • provider_.excludedPathFilter
  3. [8.5.5.23 or later]Decide whether you want the OIDC TAI to perform RP-Initiated Logout to log the user out of the OP.

    When an RP-initiated logout is performed, the user is logged out of all applications in the browser that use the OP.

    • If you want the OIDC TAI to perform RP-Initiated Logout, complete the steps in Configuring the OIDC TAI to perform RP-initiated logout.
    • If you do not want the OIDC TAI to perform RP-Initiated Logout to log the user out of the OP, ensure that the
      provider.<id>.endSessionEndpointEnabled property is set to false.
  4. Decide whether you want to revoke the user's access tokens upon logout.

    Complete one of the following procedures based on your decision.

    [8.5.5.23 or later]This step applies if the RP-Initiated Logout is not configured.

Configuring the OIDC TAI to revoke user access tokens upon logout

To automatically revoke user access tokens upon logout when programmatic logout is enabled, complete the following steps.

Procedure

  1. Set the provider_<id>.revokeAccessToken property to true.
  2. If no value is configured for the provider_<id>.discoveryEndpointUrl property, set the provider_<id>.revokeEndpointUrl property to the value of the revoke endpoint on your OIDC provider.
    If the provider_<id>.discoveryEndpointUrl property is configured, the provider_<id>.revokeEndpointUrl property is set up automatically, and this step is not required.
  3. Optional: Set the provider_<id>.revokeTokensOnCacheEviction to true.
    When this property is set to true and a revoke endpoint is configured, whenever a session is evicted from a DynaCache instance, the tokens in the session data are revoked.
  4. Optional: Set the alwaysInvalidateAccessTokenOnLogout property to true.
    By default, if an OIDC session cookie is present on a request when a logout is performed, the logout uses only the information that is associated with the OIDC session cookie. If no OIDC session cookie exists, then the logout uses the access token in the Authorization header of the request. If you set the alwaysInvalidateAccessTokenOnLogout property to true, the logout is performed by using information from both the OIDC session cookie and the Authorization header of the request when they both exist.