Merge pull request #5894 from piraveena/fc-logout

Add OIDC Frontchannel logout docs to IS

Author: himeshsiriwardana

en/identity-server/next/docs/assets/img/guides/oidc-logout/oidc-backchannel-logout-configuration.png

@@ -0,0 +1,4 @@
+{% set product_name = "WSO2 Identity Server" %}
+{% set product_url_format = "https://localhost:9443" %}
+{% set product_url_sample = "https://localhost:9443" %}
+{% include "../../../../../../includes/guides/authentication/oidc/add-front-channel-logout.md" %}

en/identity-server/next/docs/assets/img/guides/oidc-logout/oidc-backchannel-logout-scenario.png

@@ -712,8 +712,9 @@ nav:
               - Revoke tokens: guides/authentication/oidc/revoke-tokens.md
               - Configure token exchange: guides/authentication/configure-token-exchange.md
             - Logout:
-              - Front-channel logout: guides/authentication/oidc/add-logout.md
+              - RP-initiated logout: guides/authentication/oidc/add-logout.md
               - Back-channel logout: guides/authentication/oidc/add-back-channel-logout.md
+              - Front-channel logout: guides/authentication/oidc/add-front-channel-logout.md
               - Federated IdP-initiated logout: guides/authentication/oidc/oidc-federated-idp-initiated-logout.md
           - Configure SAML flows:
             - Configure SAML flows: guides/authentication/saml/index.md

en/identity-server/next/docs/assets/img/guides/oidc-logout/oidc-frontchannel-logout-configuration.png

@@ -1,94 +1,74 @@
-
-{% if product_name == "WSO2 Identity Server" %}
 # Implement back-channel logout
 
-Back-channel logout allows users to be logged out from a client application through direct communication of logout requests between the client application and the authorization server.
-
-## How it works
-
-The underlying message flow of OpenID Connect (OIDC) back-channel logout is as follows:
-
-1. A user logout is initiated by either the client application or the authorization server.
-2. The authorization server identifies all client applications associated with the user's session.
-3. The authorization server generates a logout token, a special JWT containing specific claims, and sends it with a logout request to the logout endpoints of the identified client applications.
-4. Upon receiving the logout token, each client application validates it and then invalidates the corresponding user session.
+{% if product_name == "WSO2 Identity Server" %}
 
-## Prerequisites
-To get started, you need to:
-  
-- [Register two OIDC application with {{ product_name }}]({{base_path}}/guides/applications/register-oidc-web-app/). Application names used in this guide are `Playground_app1` and `Playground_app2`
+Back-channel logout, defined in the OpenID Connect (OIDC) specification, allows logging out of client applications without user interaction. Unlike front-channel logout that relies on the user's browser to notify each client application, back-channel logout happens entirely through server-to-server communication between the authorization server and the client applications.
 
-- [Download two instances of the playground application](https://github.com/wso2/samples-is/releases/download/v4.5.2/playground2.war) as this guide uses the playground sample app. Rename the second file as `playground3.war`.
+For protocol details, see the OpenID specification: [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html).
 
-- Configure the sample applications;
+## How it works
 
-    1. Copy the downloaded playground.war file into `<TOMCAT_HOME>/apache-tomcat-<version>/webapps` folder.
-    2. Start the Tomcat server.
-    3. If required, update the `<param-value>` parameters for the `serverUrl`, `username` and `password` in the `WEB-INF/web.xml` file.
-    4. Restart the Tomcat server, if you have done any changes to the `WEB-INF/web.xml` file.
+![oidc-backchannel-logout-scenario]({{base_path}}/assets/img/guides/oidc-logout/oidc-backchannel-logout-scenario.png)
 
-## Configure back-channel logout
+The underlying message flow of OIDC back-channel logout happens as follows:
 
-- To configure back-channel logout for `Playground_app1`:
+1. The client application initiates a user logout.
+2. {{ product_name }} identifies all the client applications associated with the user's session.
+3. {{ product_name }} generates a logout token, a special  JWT (JSON Web Token) containing specific claims and sends it with a logout request to the logout endpoints of all the client applications.
+4. Upon receiving the logout token, each client application validates the token and proceeds to invalidate the corresponding user session.
 
-    1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application.
-    2. Go to the **Protocol** tab and enter the following details:
+## Configure back-channel logout URL
 
-        | Field Name    | Value |
-        |---------------|-------|
-        | Grant type    | Implicit  |
-        | Back channel logout URL   | http://localhost:8080/playground3/bclogout    |
+Follow the steps below to register the back-channel endpoint of your application with {{product_name}}.
 
-    3. Click **Update** to save your configurations.
+!!! note "Before you begin"
 
-- To configure back-channel logout for `Playground_app2`:
+    [Register your OIDC application]({{base_path}}/guides/applications/) in {{product_name}}.
 
-    1. On the WSO2 Identity Server Console, go to **Applications** and select your OIDC application.
-    2. Go to the **Protocol** tab and enter the following details:
+1. On the {{ product_name }} Console, go to **Applications** and select your OIDC application.
 
-        | Field Name    | Value |
-        |---------------|-------|
-        | Grant type    | Implicit  |
-        | Back channel logout URL   | http://localhost:8080/playground2/bclogout    |
+2. Go to the **Protocol** tab, and under **Logout URLs**, enter the **Back channel logout URL**.
 
-    3. Click **Update** to save your configurations.
+    ![Configure backchannel logout URL]({{base_path}}/assets/img/guides/oidc-logout/oidc-backchannel-logout-configuration.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
 
-## Try it out
+3. Click **Update** to save your configurations.
 
-1. Access the **Playgrpund_app1** application using the following URL: http://localhost:8080/playground2/.
+## Set up your client application
 
-2. Click **Import Photos**.
+To complete the back-channel logout flow, you must set up the client application so that it can perform the following required actions.
 
-3. Enter the following details:
+1. **Receive back-channel logout requests** - The client application must expose an endpoint that accepts POST requests from the authorization server to handle logout requests. You need to [register this endpoint with {{product_name}}](#configure-back-channel-logout-url).
 
-    | Field name  | Value |
-    |-------------|-------|
-    | **Authorization Grant Type**  | `Implicit`  |
-    | **Client ID**     | The OAuth Client ID received when registering the Playground_app1 in WSO2 Identity Server.  |
-    | **Callback URL**  | `http://localhost:8080/playground2/oauth2client`  |
-    | **Authorize Endpoint**  | `https://localhost:9443/oauth2/authorize` |
+2. **Validate the logout token** - The following is an example of the logout token sent by the {{ product_name }} to a client application:
 
-4. Click **Authorize**. You will be redirected to the WSO2 Identity Server login page.
+    ``` json
+    {
+    "iss": "{{product_url_sample}}/oauth2/token",
+    "sub": "aa21e449-****-****-****-****a6a3961f",
+    "aud": "w_Hwp05dF****_****9SNwpflAa",
+    "iat": 1609911868,
+    "exp": 1609911988,
+    "jti": "16159e3e-****-****-****-b0782ab33d58",
+    "sid": "15043ffc-****-****-****-9b107f7da38c",
+    "events": {
+       "http://schemas.openid.net/event/backchannel-logout": {}
+       }
+    }
+    ```
 
-5. Enter the credentials of your user account and click Sign In. You will now receive an ID Token.
+    Your client application must perform JWT token validation as defined in the [OIDC back-channel logout specification](https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation). A summary of the validations is below.
 
-6. Access the **Playground_app2** application using the follwoing URL: http://localhost:8080/playground3/
+    - `iss`: Must match your trusted issuer.
 
-7. Repeat steps 2-5 for **Playground_app2** application with the following values:
+    - `aud`: Must match your application's client ID.
 
-    | Field name  | Value |
-    |-------------|-------|
-    | **Authorization Grant Type**  | `Implicit`  |
-    | **Client ID**     | The OAuth Client ID received when registering the Playground_app2 in WSO2 Identity Server.  |
-    | **Callback URL**  | `http://localhost:8080/playground3/oauth2client`  |
-    | **Authorize Endpoint**  | `https://localhost:9443/oauth2/authorize` |
+    - `iat` and `exp`: Must be within a valid timeframe.
 
-8. Click **Logout** on one of the applications. You will be prompted to consent to the logout.
+    - `events`: Must contain the http://schemas.openid.net/event/backchannel-logout claim.
 
-9. Provide consent. You will receive confirmation of sucessful logout.
+    - `sid`: Must be present to identify the session.
 
-10. Now, go to the other application and reload the page. Note that you are redirected to the login page of the playground application and you will see that the **Logged in user** has changed to `null`.
 
-You have successfully configured and tried out OIDC back-channel logout. You can check out the Tomcat logs on the terminal window to see the back-channel logout flow.
+3. **Terminate the user session** - Once the client validates the token and determines it to be valid, the client should use the `sid` claim to locate and terminate the user's session.
 
-{% endif %}
+{% endif %}

en/identity-server/next/docs/assets/img/guides/oidc-logout/oidc-frontchannel-logout-scenario.png

@@ -0,0 +1,67 @@
+
+{% if product_name == "WSO2 Identity Server" %}
+
+# Implement OIDC front-channel logout
+
+Front-channel logout lets the authorization server notify client applications to end a user's session through the user's browser via iframes.
+
+Use front-channel logout when client applications cannot accept server-to-server (back-channel) requests but can receive browser-delivered logout notifications.
+
+For protocol details see the OpenID specification: [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html).
+
+## How it works
+
+![oidc-front-channel-logout-scenario]({{base_path}}/assets/img/guides/oidc-logout/oidc-frontchannel-logout-scenario.png)
+
+The front-channel logout flow works as follows:
+
+1. The client application initiates a user logout.
+2. {{ product_name }} terminates the user's session.
+3. {{ product_name }} identifies all the client applications associated with the user's session.
+4. {{ product_name }} responds with an HTML page that embeds an iframe for each application that has a front-channel logout URI configured.
+5. Upon receiving the logout request, each client application validates the requests and proceeds to invalidate the corresponding user session.
+
+## Configure front-channel logout URL
+
+If your application supports OIDC front-channel logout, you can configure the logout URL of the application in the Console. That endpoint can listen to OIDC front-channel logout requests from {{ product_name }}, and terminate the application's sessions.
+
+To get started, you need to have an application registered in {{ product_name }}. If you don't already have one, [register a web app with OIDC]({{base_path}}/guides/applications/register-oidc-web-app/).
+
+Follow the steps below to register the front-channel endpoint of your application with {{product_name}}.
+
+!!! note "Before you begin"
+
+    [Register your OIDC application]({{base_path}}/guides/applications/) in {{product_name}}.
+
+1. On the {{product_name}} Console, go to **Applications** and select your OIDC application.
+
+2. Go to the **Protocol** tab, and under **Logout URLs**, enter the **Front channel logout URL**.
+
+       ![oidc-logout]({{base_path}}/assets/img/guides/oidc-logout/oidc-frontchannel-logout-configuration.png)
+
+3. Click **Update** to save your configurations.
+
+=== "Logout request format"
+
+    ```url
+    http://myapp.com?iss={{product_url_format}}/oauth2/token&sid={sid_value}
+    ```
+
+=== "Example request"
+
+    ```url
+    http://myapp.com?iss={{product_url_sample}}/oauth2/token&sid=15043ffc-****-****-****-9b107f7da38c
+    ```
+
+!!! note
+
+    **Cross-site cookie considerations**
+
+    Front-channel logout uses GET requests delivered via iframes to notify client domains. While GET requests in iframes have good browser support, modern browsers restrict third-party cookies and cross-site tracking, which can cause logout to fail.
+
+    *Recommendations:*
+
+    - Prefer [back-channel logout]({{base_path}}/guides/authentication/oidc/add-back-channel-logout/) for reliable server-to-server session termination, as it does not depend on browser cookie policies.
+    - Consider hosting applications on subdomains of a shared parent domain (for example, `app1.example.com` and `app2.example.com`) so cookies can use `Domain=.example.com` and become first-party.
+
+{% endif %}