Introduction
Once you login to the application using external provider - you are logged in two systems - in CoreOne and in External Provider.
When you logout - you will be logged out from CoreOne. The question araises if you should be logged out of External Provider as well. This is something that customer has to decide as there are valid points for logout and against.
Setup
Logout from external provider is implemented only for OIDC providers
On the DEV test environment, logout from external provider is configured for both SwissId and KeyCloak. You should be able to just run and test it. But below we will go though the configuration and see what is where
This is external provider configuration for KeyCloak (servicecorelogin_external_logon_provider
table):
{ "clientid": "cos", "clientsecret": "0lLM43yeXPKtBzyH7s3p5mKzWGS1dLVT", "authority": "http://localhost:8080/realms/master/", "useuserinfoendpoint": true, "requirehttpsmetadata": false, "useiframelogoutwithidtokenhint":true }
You can see useiframelogoutwithidtokenhint
is set to true. This has to be set for the logout to work.
Standard OIDC does not require to send id_token_hint when logout but it is required by both SwissId and KeyCloak. When Identity Server does logout - it also send id_token_hint
IFrame is used during logout, so please check that you have servicecorelogin_external_logon_provider.trusted_address
set. Otherwise CSP can block the request.
Login
During authentication to external provider the id_token will be saved to CoreOne cache. The reference to the token will ba saved in cookie external_id_token_ref_{auth_scheme}
(for multiple browser scenario).
Logout
Based on cookie, the id token is found.
On the logout page the iFrame is rendered with logout request to external provider. It should contain id_token_hint.