Background:

• We have multiple applications (Relying Party - RP) which use IBM CI as their OP (OpenID Connect Provider)
• The RPs are a mix of both Single Page Application as well as Full Stack Applications (i.e., both Web Server and App Server)
• The RPs rely on the ‘prompt=none’ OP offering to provide a pseudo-single-sign-on since the RPs do not share a common session between each other.
  • This means that each RP obtains and manages its own ID, ACCESS and REFRESH Tokens

Scenario:

1. User, with a fresh session, goes to RP A. User asks to log into RP A and is directed to OP via Auth Code Flow (with PKCE)
2. RP A obtains ID, Access and Refresh tokens for the User and allows the User to perform X actions on the site.
3. User finishes up on RP A and browses over to RP B.
4. RP B leverages ‘prompt=none’ via Auth Code Flow.
5. The OP sees that the User’s login session is still valid, it responds back with the requested tokens (e.g., ID Token)
6. RP B allows the User to perform Y actions on the site
7. The User finishes up and wishes to Logout [See below for questions regarding logout]

Without support of the OIDC Logout Flows mentioned above, User Single Logout implementations become one-off, hokey solutions. However, if the OIDC Specifications above were supported, we would be able to leverage a common Logout pattern.

These specifications are supported by a majority of the major Cloud Identity Provider offerings (e.g., Azure, AWS Cognito, etc...).