LDAPWiki: Logout Token

Overview#

Logout Token is a JSON Web Token is sent from OpenID Connect Provider to Relying Party request that they logout.

Logout Token is defined in OpenID Connect Back-Channel Logout

Logout Token is similar to an id_token

The following Claims are used within the Logout Token:

iss REQUIRED
sub OPTIONAL
aud REQUIRED
iat REQUIRED
jti REQUIRED
events REQUIRED. Claim whose value MUST be a JSON Object containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON Object and SHOULD be the empty JSON object {}.
sid OPTIONAL

A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both. If a sid Claim is not present, the intent is that all sessions at the RP for the End-User identified by the iss and sub Claims be logged out.

The following Claim MUST NOT be used within the Logout Token:

nonce PROHIBITED - A nonce Claim MUST NOT be present. Its use is prohibited to make a Logout Token syntactically invalid if used in a forged Authentication Response in place of an id_token.

Logout Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored.

A Logout Token MUST be signed (JWS) and MAY also be encrypted (JWE). The same keys are used to sign and encrypt Logout Token as are used for id_token.

NOTE: The Logout Token is compatible with Security Event Token (SET) I‑D.ietf‑secevent‑token draft -00.

A non-normative example JWT Claims Set for a Logout Token follows:

  {
   "iss": "https://server.example.com",
   "sub": "248289761001",
   "aud": "s6BhdRkqt3",
   "iat": 1471566154,
   "jti": "bWJq",
   "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
   "events": {
     "http://schemas.openid.net/event/backchannel-logout": {}
     }
  }

Relying Party Logout Token Validation #

Upon receiving a logout request at the back-channel logout URI, the Relying Party MUST validate the Logout Token as follows:

If the Logout Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt id_token.
If id_token encryption was negotiated with the OP at Registration time and the Logout Token is not encrypted, the Relying Party SHOULD reject it.
Validate the Logout Token signature in the same way that an id_token signature is validated, with the following refinements.
Validate the iss, aud, and iat Claims in the same way they are validated in id_tokens.
Verify that the Logout Token contains a sub Claim, a sid Claim, or both.
Verify that the Logout Token contains an events Claim whose value is JSON Object containing the member name http://schemas.openid.net/event/backchannel-logout.
Verify that the Logout Token does not contain a nonce Claim.
Optionally verify that another Logout Token with the same jti value has NOT been recently received.

If any of the validation steps fails, reject the Logout Token and return an HTTP 400 Bad Request error. Otherwise, proceed to perform the logout actions.

More Information#

There might be more information for this subject on one of the following:

Overview#

Relying Party Logout Token Validation#

More Information#

Relying Party Logout Token Validation #