Answers ( 1 )

  1. 2016-10-24 02:10

    There are at least a few specifications to support this but they are not part of the openid connect spec itself. Implementations may or may not support this. Here's one that I've found frequently supported: http://openid.net/specs/openid-connect-session-1_0.html#RPLogout

    Note: logout in openid connect is tricky. Which session(s) do you want to invalidate? Just the RP? If so, the RP can just sign right back in without credentials because the OP (OpenID Connect Identity Provider) still has a session. What if there are other RPs? Just some questions to think about.

◀ Go back