<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a [JSON Web Token] is sent from [OpenID Connect Provider] to [Relying Party] request that they [logout].

[{$pagename}] is defined in [OpenID Connect Back-Channel Logout]

[{$pagename}] is similar to an [id_token]

The following [Claims] are used within the [{$pagename}]:
* [iss] [REQUIRED]
* [sub] [OPTIONAL]
* [aud] [REQUIRED]
* [iat] [REQUIRED]
* [jti] [REQUIRED]
* [events|Events Claim] [REQUIRED]. [Claim] whose value [MUST] be a [JSON Object] containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the [JWT] is a [{$pagename}]. The corresponding member value [MUST] be a [JSON Object] and [SHOULD] be the empty JSON object {}.
* [sid] [OPTIONAL]

A Logout Token [MUST] contain either a [sub] or a [sid] [Claim], and [MAY] contain both. If a [sid] [Claim] is not present, the intent is that all sessions at the RP for the [End-User] identified by the [iss] and [sub] [Claims] be logged out.

The following [Claim] [MUST NOT] be used within the Logout Token:
* [nonce] [PROHIBITED] - A [nonce] Claim [MUST NOT] be present. Its use is prohibited to make a Logout Token syntactically invalid if used in a forged [Authentication Response] in place of an [id_token].
[Logout] Tokens [MAY] contain other [Claims]. Any [Claims] used that are not understood [MUST] be ignored.

A [{$pagename}] [MUST] be signed ([JWS]) and [MAY] also be [encrypted] ([JWE]). The same keys are used to sign and encrypt [{$pagename}] as are used for [id_token]. 

NOTE: The [{$pagename}] is compatible with [Security Event Token] ([SET]) [I‑D.ietf‑secevent‑token] draft -00.

A non-normative [example] [JWT] Claims Set for a [{$pagename}] follows:
%%prettify 
{{{
  {
   &quot;iss&quot;: &quot;https://server.example.com&quot;,
   &quot;sub&quot;: &quot;248289761001&quot;,
   &quot;aud&quot;: &quot;s6BhdRkqt3&quot;,
   &quot;iat&quot;: 1471566154,
   &quot;jti&quot;: &quot;bWJq&quot;,
   &quot;sid&quot;: &quot;08a5019c-17e1-4977-8f42-65a12843ea02&quot;,
   &quot;events&quot;: {
     &quot;http://schemas.openid.net/event/backchannel-logout&quot;: {}
     }
  }

}}} /%


!! [Relying Party] [{$pagename}] [Validation]
Upon receiving a logout request at the back-channel logout [URI], the [Relying Party] [MUST] validate the [{$pagename}] as follows:
* If the [{$pagename}] is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt [id_token]. 
* If [id_token] encryption was negotiated with the OP at Registration time and the Logout Token is not encrypted, the [Relying Party] [SHOULD] reject it.
* Validate the [{$pagename}] signature in the same way that an [id_token] signature is validated, with the following refinements.
* Validate the [iss], [aud], and [iat] [Claims] in the same way they are validated in [id_tokens].
* Verify that the [{$pagename}] contains a [sub] Claim, a [sid] Claim, or both.
* Verify that the [{$pagename}] contains an [events Claim] whose value is [JSON Object] containing the member name http://schemas.openid.net/event/backchannel-logout.
* Verify that the [{$pagename}] does not contain a [nonce] [Claim].
* Optionally verify that another [{$pagename}] with the same [jti] value has __NOT__ been recently received.
If any of the validation steps fails, reject the [{$pagename}] and return an [HTTP 400] __Bad Request__ [error]. Otherwise, proceed to perform the logout actions.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>