Support for OIDC back-channel logout

OpenID Connect back-channel logout ensures that when a user logs out of an authorization server, they are also automatically logged out of all related applications and services without relying on the user's browser for communication. To accomplish this, the OAuth 2.0 / OIDC authorization server sends a direct backend call to all OIDC clients involved in the current session to inform them of the user's logout.

Functional limitation

IAM only supports back-channel logouts for tokens used in OIDC Authorization/Hybrid Code Flows. There is no back-channel logout support for OAuth 2.0 Authorization Code Grants, Client Credential Grants or Token Exchanges.

Errors that occur when performing a back-channel logout call are logged, but will not prevent the user's logout.

Prerequisites

To perform back-channel logout for OAuth2 sessions, the following prerequisites must be fullfilled:

The client has completed at least one OIDC Authorization Code Flow or Hybrid Flow during the current user session.
On the corresponding OAuth / OIDC authorization server, the property Delete Tokens on Logout has been set to Session (default) or All. For more details, see OAuth authorization server advanced settings.
On the corresponding static OIDC client, the URI to which to send the back-channel logout request as well as the HTTP client that executes the back-channel logout request are configured. For more details, see the next section.
Note that currently there is no back-channel logout support for dynamic clients.