RP Initiated Logout to OP
From MgmtWiki
Full Title or Meme
When a user initiates a logout from an OpenID Connect (OIDC) session, the following steps typically occur:
1. **User Interaction:**
- The user interacts with the application (relying party, RP) and decides to log out. - The RP initiates the logout process by sending a logout request to the identity provider (IdP).
2. **RP Sends Logout Request:**
- The RP constructs a logout request (usually an HTTP GET or POST request) and sends it to the IdP's logout endpoint. - The request includes information such as the user's session identifier (usually an ID token or session cookie).
3. **IdP Processes Logout Request:**
- The IdP receives the logout request. - It validates the request (e.g., checks the session identifier). - The IdP may also perform additional tasks, such as revoking tokens or notifying other RPs.
4. **User Is Logged Out:**
- The IdP invalidates the user's session (local or federated). - The user is effectively logged out from the IdP.
5. **Optional: Single Sign-On (SSO) Considerations:**
- If the user had an SSO session (multiple RPs sharing the same session), the IdP may notify other RPs about the logout. - The IdP sends logout responses to other RPs (if configured) to invalidate their sessions as well.
6. **RP Receives Logout Response:**
- The IdP sends a logout response back to the RP. - The RP processes the response and may take additional actions (e.g., clearing local session data).
7. **User Experience:**
- The user is redirected to a post-logout page (configured by the RP). - This page may display a confirmation message or provide further instructions.
Remember that the specifics can vary based on the OIDC implementation, the RP's configuration, and the IdP's behavior. If you need more detailed information, consult the documentation for your specific OIDC setup.
