how to do a global OIDC logout using node-oidc-provider

Question

What is the correct way in OIDC for an RP to initiate a global logout of all services to which the user is logged in via the OP? I can logout of a single service, but I've read you can create a frontend url for each RP, and load that as an iframe in the OP logout form, which seems somewhat flaky and cumbersome. I've also read up on backchannel logouts, but the library I'm using doesn't seem to support a global logout via this method.

The best thing I can think to do is override the configuration.features.rpInitiatedLogout.logoutSource function and implement what is defined in endSession

if (session.authorizations) {
  await Promise.all(
    Object.entries(session.authorizations).map(async ([clientId, { grantId }]) => {
      // Drop the grants without offline_access
      // Note: tokens that don't get dropped due to offline_access having being added
      // later will still not work, as such they will be orphaned until their TTL hits
      if (grantId && !session.authorizationFor(clientId).persistsLogout) {
        await revoke(ctx, grantId);
      }
    }),
  );
}

I'd love to know if there is a better, more idiomatic solution.

score 0 · Answer 1 · answered Feb 08 '23 at 18:34

It turns out that the global logout is the default behavior, assuming that none of the RP's authorizations have persistsLogout set to true. This can happen if they include the offline_access scope or if the provider.configuration.expiresWithSession is overridden to return false, which was the case in my situation.

how to do a global OIDC logout using node-oidc-provider

1 Answers1