Support OIDC Session Management, Front-Channel Logout and Back-Channel Logout Specs
- We have multiple applications (Relying Party - RP) which use IBM CI as their OP (OpenID Connect Provider)
- The RPs are a mix of both Single Page Application as well as Full Stack Applications (i.e., both Web Server and App Server)
- The RPs rely on the ‘prompt=none’ OP offering to provide a pseudo-single-sign-on since the RPs do not share a common session between each other.
- This means that each RP obtains and manages its own ID, ACCESS and REFRESH Tokens
- User, with a fresh session, goes to RP A. User asks to log into RP A and is directed to OP via Auth Code Flow (with PKCE)
- RP A obtains ID, Access and Refresh tokens for the User and allows the User to perform X actions on the site.
- User finishes up on RP A and browses over to RP B.
- RP B leverages ‘prompt=none’ via Auth Code Flow.
- The OP sees that the User’s login session is still valid, it responds back with the requested tokens (e.g., ID Token)
- RP B allows the User to perform Y actions on the site
- The User finishes up and wishes to Logout [See below for questions regarding logout]
Without support of the OIDC Logout Flows mentioned above, User Single Logout implementations become one-off, hokey solutions. However, if the OIDC Specifications above were supported, we would be able to leverage a common Logout pattern.
These specifications are supported by a majority of the major Cloud Identity Provider offerings (e.g., Azure, AWS Cognito, etc...).
Do not place IBM confidential, company confidential, or personal information into any field.