eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-27 09:57:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx
Dewi Roberts 9d41d41b4f website/docs: add email verification scope doc (#20141) 
* WIP

* Add link to 2025.10 release notes

* Apply suggestions from code review

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
2026-02-11 15:55:25 +00:00

125 lines
5.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: Front-channel and back-channel logout
description: Configure front-channel and back-channel logout for OAuth2/OpenID Connect providers
authentik_version: "2025.8.0"
authentik_preview: true
---
## Overview
OAuth2/OIDC logout is a security feature defined in the OpenID Connect specification. It allows an OIDC Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session.
For more information about single logout across all providers, see the [Single Logout (SLO) Overview](../single-logout/index.md).
:::warning
Your OAuth application (Relying Party) must explicitly support OpenID Connect front-channel logout or back-channel logout to properly handle logout requests. Not all OAuth applications support these features, so compatibility should be verified.
:::
## Requirements
Your OAuth application (Relying Party) must:
- **HTTPS**: Use HTTPS in production.
- **Accessible**: Be reachable from authentik.
- **Logout endpoint**: Have a defined endpoint to handle OP logout requests (front-channel, back-channel, or both).
## Configuration
### Set up single logout
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers**.
3. Edit or create an OAuth2 provider.
4. In the **Logout URI** field, enter the logout endpoint provided by your RP, if supported.
5. Select the **Logout Method** to choose **Front-channel** or **Back-channel** based on RP support.
6. Click **Finish** to save your changes.
:::info
Back-channel logout is the only way to ensure that users are logged out of the provider when their session is administratively terminated (e.g., when a user is deactivated or their session is deleted).
:::
### Logout URI format
The **Logout URI** should be a single URL provided by your Relying Party application, for example:
#### Back-channel
```
https://app.example.com/oauth/backchannel-logout
https://api.service.com/logout/backchannel
https://client.example.org/backchannel-logout
```
#### Front-channel
```
https://app.example.com/oauth/logout
https://api.service.com/logout
```
## RP-initiated Single Logout
OIDC Relying Parties can initiate logout by redirecting a user to authentik's `end_session` endpoint. By default, only that application's session is ended while the authentik session remains active and the user stays logged in to other applications.
For instructions on how to trigger full Single Logout when a user logs out from an application, see [Enable full Single Logout for RP-initiated logout](../single-logout/index.md#enable-full-single-logout-for-rp-initiated-logout).
## How OpenID Connect single logout works
### Back-channel logout
With back-channel logout, authentik sends logout requests directly from the server to the RPs logout endpoint via HTTP POST. The logout request includes a signed JWT logout token that contains the following JWT claims:
- `iss` (issuer): The authentik issuer URL
- `sub` (subject): The user's unique identifier
- `aud` (audience): The client ID
- `iat` (issued at): Token creation timestamp
- `jti` (JWT ID): Unique token identifier
- `events`: Logout event claim
- `sid` (session ID): The session identifier (if available)
Example back-channel logout request:
```http
POST /backchannel-logout HTTP/1.1
Host: client.example.org
Content-Type: application/x-www-form-urlencoded
logout_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
```
Back-channel logout is triggered when:
- A user logs out through a logout flow
- An administrator deletes a user's session
- A user account is deactivated
- A session expires or is revoked
### Front-channel logout
With front-channel logout, authentik injects an iframe logout stage into the logout flow. This stage loads the RP's (relying party) front-channel logout URL in a hidden iframe within the user's browser. The logout URL includes session information as query parameters, such as:
- `iss`: The authentik issuer URL
- `sid`: The session identifier
Example front-channel logout iframe:
```html
<iframe
src="https://app.example.com/oauth/logout?iss=https://authentik.company&sid=session_id"
></iframe>
```
The RP processes the logout request and terminates the user's session. After all iframes complete their requests, the user continues through the authentik logout flow.
:::info
Front-channel logout only works for user-initiated logouts through a logout flow. It cannot be used for administrative session termination since it requires an active browser session.
:::
## Resources
- [Single Logout (SLO) Overview](../single-logout/index.md)
- [User Logout Stage](../../flows-stages/stages/user_logout.md)
- [OAuth2 Provider Configuration](./index.mdx)
- [OpenID Connect Back-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-backchannel-1_0.html)
- [OpenID Connect Front-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
Reference in New Issue View Git Blame Copy Permalink