eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-05-01 11:57:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
d91dcf4eef2e390d1efdbcdc0165125ee87f96b5
authentik/website/docs/add-secure-apps/providers/oauth2/backchannel-logout.mdx
Marcelo Elizeche Landó 336aa7f5e9 website/docs: Add docs for oauth2 back-channel logout (#15845) 
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: dewi-tik <dewi@goauthentik.io>
2025-08-07 18:13:07 +02:00

65 lines
2.7 KiB
Plaintext
Raw Blame History

---
title: OAuth2/OpenID Connect back-channel logout
description: Configure back-channel logout for OAuth2/OpenID Connect providers
authentik_version: "2025.8.0"
authentik_preview: true
---
## Overview
Back-channel logout is a security feature defined in the [OpenID Connect Back-Channel Logout 1.0 specification](https://openid.net/specs/openid-connect-backchannel-1_0.html). It allow an OpenID Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session, even without direct user interaction.
:::warning
Your OAuth application (Relying Party) must explicitly support the OpenID Connect Back-Channel Logout 1.0 specification to properly handle back-channel logout requests. Not all OAuth applications support this feature, so compatibility should be verified.
:::
## How back-channel logout works
When a user logs out _or_ their session is otherwise terminated in authentik, the following events occur:
1. **Session Termination**: The user's session is ended through the logout flow, an administrative action, or token revocation.
2. **Provider Notification**: authentik identifies all OAuth2 providers with active sessions for the user.
3. **Back-Channel Request**: HTTP POST requests are sent to each provider's configured back-channel logout URI.
4. **RP Processing**: Each Relying Party processes the request, validates the logout token, and terminates the user's local session.
## Requirements
Your OAuth application (Relying Party) must:
- **HTTPS**: Use HTTPS in production.
- **Accessible**: Be reachable from authentik.
- **POST Support**: Accept POST requests with form data.
## Configuration
### Set up back-channel logout
1. In the Admin interface, navigate to **Applications** > **Providers**.
2. Edit or [create an OAuth2 provider](./create-oauth2-provider.md).
3. Enter the back-channel logout endpoint URL provided by your Relying Party in the **Back-channel Logout URI** field.
### Back-channel logout URI format
The back-channel logout URI should be a **single URL** provided by your Relying Party application. Examples:
- `https://app.example.com/oauth/backchannel-logout`
- `https://api.service.com/logout/backchannel`
- `https://client.example.org/backchannel-logout`
## Logout token
The back-channel logout request includes a **logout token** as form data:
```http
POST /backchannel-logout HTTP/1.1
Host: client.example.org
Content-Type: application/x-www-form-urlencoded
logout_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
```
## Related Documentation
- [OAuth2 Provider Configuration](./index.mdx)
- [OpenID Connect Back-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-backchannel-1_0.html)
Reference in New Issue View Git Blame Copy Permalink