OIDC Single Logout with mod_auth_openidc

[studersi]

A question that comes up from time to time is whether there is support in mod_auth_openidc for Single Logout across multiple applications.

Consider a platform with multiple reverse proxies protecting different applications with potentially different OIDC Client Configurations:

flowchart LR
  ua[User-Agent]

  idp[Identity Provider]

  rp1[Reverse Proxy 1 with mod_auth_openidc]
  rp2[Reverse Proxy 2 with mod_auth_openidc]

  redis[Redis for Session Caching]

  app1[Application 1]
  app2[Application 2]


  ua---idp
  ua---rp1

  idp---rp1
  idp---rp2
  ua---rp2

  rp1---app1
  rp1---redis
  rp2---redis
  rp2---app2

Loading

I would expect logout to work as follows:

sequenceDiagram
  autonumber

  actor ua as User-Agent
  participant idp as Identity Provider
  participant  rp1 as Reverse Proxy 1 with mod_auth_openidc
  participant  rp2 as Reverse Proxy 2 with mod_auth_openidc

  ua->>rp1: click logout button
  activate rp1
    rp1->>idp: send back-channel logout request
    rp1->>ua: redirect to idp logout endpoint
  deactivate rp1
  activate ua
    ua->>ua: clear local session cookies for App 1
    ua->>idp: send request to IdP logout endpoint
  deactivate ua
  activate idp
    idp->>ua: redirect to post-logout redirect URI
  activate ua
    ua->>ua: clear local session cookies for IdP
  deactivate ua
    idp-->>rp2: send back-channel logout request?
  deactivate idp

Loading

The main question relates to the back-channel logout request sent from the IdP to the other RPs where this user is logged in (Step 8).

From what I understand, the IdP would need to be configured to know about all Reverse Proxies where the user's identity might be used and where the logout request should be sent to. Also, the IdP would need to send some identifier that the Reverse Proxy can use to identify the user session to be terminated. Also, there is probably no way to inform the user about the logout happening in the background on the other RPs.

Does mod_auth_openidc support something along those lines? If yes, how would that be configured?

[zandbelt]

mod_auth_openidc supports the OpenID Connect backchannel and frontchannel Logout protocols, which will automatically be triggered upon logout based on the Provider's metadata document, see https://github.com/OpenIDC/mod_auth_openidc/wiki#9-how-do-i-logout-users (of course all RPs need to support this for a true single logout to succeed)