User Logout
User logout can mean quite a few different things and there are multiple ways for logging out users.
User Initiated Logout
This is the most straight forward logging out. If a user (or an admin in the Admin UI) clicks the logout button and confirms the logout, the associated Rauthy session will be logged out. This means, to access any Rauthy UI's again, the user needs to do a fresh login.
If you have OIDC Backchannel Logout (mentioned below) configured for any clients, this will trigger it for the Session
ID sid
only. This means only clients where the user logged in in the past that are associated with this sid
will
receive a Logout Token. All others will not. This is NOT a global user logout, only for this very session.
The User Initiated Logout does NOT affect already signed and issue stateless(!) tokens. A stateless token, once singned, cannot be revoked by design, even though you might read things like this in many places on the internet.
It is impossible to revoke a stateless JWT token.
Admin-Forced User Logout
An admin can of course force-logout users via the Admin UI as well. This can be done in 2 places:
- Admin UI -> Sessions -> click delete on a specific session or
Invalidate All Sessions
- Admin UI -> Users -> select user -> Logout Tab -> Logout
The first session-targeted logout / invalidation will only trigger Backchannel Logouts for this specific session only. If you log out a user via the Logout Tab for a selected user, it will be a global User Logout everywhere. This will delete all existing sessions on all devices, delete all refresh tokens and trigger a Backchannel Logout for the whole user for all configured clients.
The global, forced user logout does NOT affect logged in devices via the device flow, which are usually either IoT devices or maybe a CLI tool on a headless server. If you also want to remove access for all of these, do this additionally via the Admin UI -> Users -> select user -> Devices Tab.
RP Initiated Logout
An RP Initiated Logout can be done by any client, that has a valid id_token
for a given user. This logout provides
the best UX and makes it possible to redirect the user back to the downstream client afterward instead of Rauthy itself.
To make this possible, you first need to make sure, that you set a proper Redirect URI
for your client in the Admin
UI -> Client Config. Only URLs added here upfront will be allowed for the automated redirect. This logout procedure also
does not ask for Logout validation and the whole process works without any user interaction.
If you added a redirect URI, you can do this logout in 2 ways:
- Use the users browser, for instance after clicking a Logout button in the downstream client app
- Do it in the background without the user knowing
Via the browser is pretty simple:
- Redirect the user to Rauthy's logout endpoint, which is
/auth/v1/oidc/logout
and provide a validid_token
via theid_token_hint
URL parameter. If this contains a validid_token
, Rauthy will not ask for Logout confirmation and it will accept an optionally given, valid redirect URI. - Add the
post_logout_redirect_uri
param and provide a URI, that has been allowed for this client upfront to avoid open redirects. - You may also add a
state
parameter if you need to provide any information back to your client. Thisstate
will be appended to thepost_logout_redirect_uri
, if it exists.
Via the backend without user interaction, an RP can initiate a logout in the same way. This a lot simpler though. You
only would do a POST /auth/v1/oidc/logout?id_token_hint=pasteAValidIdTokenHere
. It will work in the exact same way
with the exception, that you of course don't need any redirect or state, because your backend would do this request
directly.
In both situations, you at least need a valid id_token
which has been returned in the past via the /token
endpoint
after a successful login or token refresh.
The RP Initiated Logout will always trigger a Backchannel Logout on configured clients that are associated to the
sid
from the id_token
.
Backchannel Logout - Client Side
A Backchannel Logout is sent from Rauthy to your downstream client application, if you configured it to do so. You can
configure it in the Admin UI -> Clients -> select your client -> Backchannel Logout
.
Either your client application already supports OIDC Backchannel Logout, or you might need to implement it on your own. Accepting these logout requests is pretty straight forward, if you just take a look at the RFC.
The rauthy-client
will provide all the necessary tools for this in a future version as well.
Backchannel Logout - Rauthy's Side
An OIDC Backchannel Logout can be done as well against
Rauthy. You usually never implement it yourself though. Rauthy only accepts these backchannel logouts from configured
Upstream Auth Providers. These will provide a logout_token
on the logout endpoint, which Rauthy will validate and on
success, forward the backchannel logout to all configured and associated clients.
You have quite a few config options regarding Backchannel Logout. All these values have reasonable defaults, but you might take a look at them if you have issues like e.g. an upstream provider with self-signed certificates or inside test environments.
#####################################
######## BACKCHANNEL LOGOUT #########
#####################################
# The maximum amount of retries made for a failed backchannel logout.
# Failed backchannel logouts will be retried every 60 - 90 seconds
# from all cluster nodes. The timeout between retries is randomized
# to avoid overloading clients. It will be executed on each cluster
# member to increase the chance of a successful logout in case of
# network segmentations.
# default: 100
#BACKCHANNEL_LOGOUT_RETRY_COUNT=100
# Can be set to `true` to allow plain HTTP backchannel
# logout requests.
# default: false
#BACKCHANNEL_DANGER_ALLOW_HTTP=false
# Can be set to `true` to allow insecure HTTPS logout requests.
# This will disable TLS certificate validation.
# default: false
#BACKCHANNEL_DANGER_ALLOW_INSECURE=false
# The lifetime / validity for Logout Tokens in seconds.
# These Logout Tokens are being generated during OIDC
# Backchannel Logout requests to configured clients.
# The token lifetime should be as short as possible and
# at most 120 seconds.
# default: 30
#LOGOUT_TOKEN_LIFETIME=30
# You can allow a clock skew during the validation of
# Logout Tokens, when Rauthy is being used as a client
# for an upstream auth provider that uses backchannel
# logout.
#
# The allowed skew will be in seconds and a value of
# e.g. 5 would mean, that 5 seconds are added to the
# `iat` and `exp` claim validations and expand the range.
#
# default: 5
#LOGOUT_TOKEN_ALLOW_CLOCK_SKEW=5
# The maximum allowed lifetime for Logout Tokens.
# This value is a security check for upstream auth
# providers. If Rauthy receives a Logout Token, it will
# check and validate, that the difference between `iat`
# and `exp` is not greater than LOGOUT_TOKEN_ALLOWED_LIFETIME.
# This means Rauthy will reject Logout Tokens from clients
# with a way too long validity and therefore poor
# implementations. The RFC states that tokens should
# be valid for at most 120 seconds.
# default: 120
#LOGOUT_TOKEN_ALLOWED_LIFETIME=120