Overview#
Logout Token is a JSON Web Token is sent from OpenID Connect Provider to Relying Party request that they logout.Logout Token is defined in OpenID Connect Back-Channel Logout
Logout Token is similar to an id_token
The following Claims are used within the Logout Token:
- iss REQUIRED
- sub OPTIONAL
- aud REQUIRED
- iat REQUIRED
- jti REQUIRED
- events REQUIRED. Claim whose value MUST be a JSON Object containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON Object and SHOULD be the empty JSON object {}.
- sid OPTIONAL
A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both. If a sid Claim is not present, the intent is that all sessions at the RP for the End-User identified by the iss and sub Claims be logged out.
The following Claim MUST NOT be used within the Logout Token:
- nonce PROHIBITED - A nonce Claim MUST NOT be present. Its use is prohibited to make a Logout Token syntactically invalid if used in a forged Authentication Response in place of an id_token.
A Logout Token MUST be signed (JWS) and MAY also be encrypted (JWE). The same keys are used to sign and encrypt Logout Token as are used for id_token.
NOTE: The Logout Token is compatible with Security Event Token (SET) I‑D.ietf‑secevent‑token draft -00.
A non-normative example JWT Claims Set for a Logout Token follows:
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"iat": 1471566154,
"jti": "bWJq",
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
"events": {
"http://schemas.openid.net/event/backchannel-logout": {}
}
}
Relying Party Logout Token Validation#
Upon receiving a logout request at the back-channel logout URI, the Relying Party MUST validate the Logout Token as follows:- If the Logout Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt id_token.
- If id_token encryption was negotiated with the OP at Registration time and the Logout Token is not encrypted, the Relying Party SHOULD reject it.
- Validate the Logout Token signature in the same way that an id_token signature is validated, with the following refinements.
- Validate the iss, aud, and iat Claims in the same way they are validated in id_tokens.
- Verify that the Logout Token contains a sub Claim, a sid Claim, or both.
- Verify that the Logout Token contains an events Claim whose value is JSON Object containing the member name http://schemas.openid.net/event/backchannel-logout.
- Verify that the Logout Token does not contain a nonce Claim.
- Optionally verify that another Logout Token with the same jti value has NOT been recently received.
