...
When you log out, you are only logged out of CoreOne Suite. The decision of whether to also log out from the external provider is up to the customer, you as there are valid arguments both for and against doing so.
...
Info |
---|
Logout from external provider is implemented only for OIDC providers |
On the DEV test environment, logout from external provider is configured for both SwissId and KeyCloak. You should be able to just run and test it. But below we will go though the configuration and see what is where
This is external provider configuration for KeyCloak To enable the logout from external logon providers enable the useiframelogoutwithidtokenhint
setting in the external logon provider configuration (servicecorelogin_external_logon_provider
table):
...
You can see useiframelogoutwithidtokenhint
is set to true. This has to be set for the logout to work.
Standard OIDC does not require to send id_token_hint when in the logout request, but we will do so as must implementation require it is required by both SwissId and KeyCloak. When Identity Server does logout - it also send id_token_hint
...
anyways
The logout from the external logon provider is done by invoking an IFrame on the logout page, so please check that you have servicecorelogin_external_logon_provider.the appropriate logout URL added to the trusted_address
set. Otherwise CSP can setting, otherwise CSP will block the request.
How it works
Login
During authentication to external provider the id_token
will be saved to CoreOne Suite cache. The reference to the token will ba be saved in cookie external_id_token_ref_{auth_scheme}
(for multiple browser scenario).
Logout
Based on the cookie, the id_token
is foundretrieved from the cache.
On the logout page the iFrame is rendered with logout request to external provider. It should contain id_token_hint
.
Cleanup
During logout we remove id_token
that was used as it is not needed anymore. There will be situations when these tokens won’t be removed as no logout was invoked (like when browser simply closed). That means there will be obsolete id_tokens hanging in our cache.
...