Logout
When a user logs out from Eduplaces, they should also be logged out from your application. As Single sign-on does not replace your own session management, we need to find a way to notify your application when a user logs out from Eduplaces. OpenID Connect defined two ways to do this:
We recommend using the Back-Channel Logout extension, as it is more reliable and secure. But if you are not able to implement it, Front-Channel Logout is a good alternative.
You should not attempt to log out users from Eduplaces when they log out from your application. Users should be able to use another App from their Eduplaces dashboard without having to log in again.
Back-Channel Logout
OpenID Connect defines a Back-Channel Logout extension that allows Eduplaces to notify your application when a user logs out from Eduplaces. This is the most reliable and secure way to log out users from your application when they log out from Eduplaces.
When a user logs out from Eduplaces, Eduplaces will send a logout request to your application. This is a HTTP POST request that contains the user's ID and a session ID we already sent to your application when the user logged in as part of the ID token. As the request is sent by our authentication server directly to your application and does not involve the user's browser, it is called a Back-Channel Logout.
You can use the session ID to identify the user's session in your application and log them out. Since the logout request does not involve the user's browser, you cannot log out the user by just deleting the session cookie in the user's browser. You have to invalidate the session on your server by other means. This could be deleting the session from your database or setting a flag to indicate that the session is no longer valid.
To support Back-Channel Logout, you need to register a logout callback URL for your application. This is the URL Eduplaces will send the logout request to. It should be a HTTPS URL that is accessible from the internet.
We will send a POST
request to this URL with a signed logout_token as the body.
The logout_token is a JSON Web Token (JWT) that contains the following claims:
Claim | Description |
---|---|
iss | The issuer of the logout_token. This is always https://auth.eduplaces.io . |
aud | The client ID of your application. |
iat | The time the logout_token was issued. |
jti | A unique identifier for the logout_token. |
sid | The session ID of the user's session on Eduplaces. We already sent this ID to your application as part of the ID token when the user logged in. |
events | A backchannel_logout event. |
{
"iss": "https://auth.eduplaces.io",
"aud": "YOUR_CLIENT_ID",
"jti": "30e58376-ed53-4c5b-91c1-9fd5517e7f55",
"sid": "7ddc71e6-e932-43e5-9d86-2ada68a490af",
"iat": 1692706914,
"events": {
"http://schemas.openid.net/event/backchannel-logout": {}
}
}
The logout_token is signed with the same private key we use to sign ID tokens. You can use the public key from our JWKS endpoint to verify the signature.
The callback URL you register for your application should be able to verify the logout_token and extract the sid
claim.
The endpoint will receive a POST
request with the logout_token as the body.
POST sso/backchannel_logout HTTP/1.1
Host: your.awesome-education.app
Content-Type: application/x-www-form-urlencoded
logout_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE...
After verifying the logout_token, you should invalidate the session with the session ID you received in the sid
claim and respond with a HTTP 200
status code.
Front-Channel Logout
If you are not able to implement Back-Channel Logout, you can use Front-Channel Logout as an alternative. Front-Channel Logout is less reliable and secure than Back-Channel Logout, but it is better than nothing.
When a user logs out from Eduplaces, Eduplaces will open the logout URL you registered for your application in the user's browser. We will open your logout URL in a hidden iframe to prevent the user from seeing it. Make sure your logout URL does not contain any sensitive information and is allowed to be embedded in an iframe.
As the request is sent by the user's browser, all cookies for your application will be sent along with the request. You can use the session cookie to identify the user's session in your application and log them out. Usually, you would just delete the session cookie to log the user out.