Logout

When a user logs out from Eduplaces, they should also be logged out from your application. As Single sign-on does not replace your own session management, we need to find a way to notify your application when a user logs out from Eduplaces. OpenID Connect defined two ways to do this:

• Back-Channel Logout
• Front-Channel Logout

We recommend using the Back-Channel Logout extension, as it is more reliable and secure. But if you are not able to implement it, Front-Channel Logout is a good alternative.

You should not attempt to log out users from Eduplaces when they log out from your application. Users should be able to use another App from their Eduplaces dashboard without having to log in again.

Back-Channel Logout

OpenID Connect defines a Back-Channel Logout extension that allows Eduplaces to notify your application when a user logs out from Eduplaces. This is the most reliable and secure way to log out users from your application when they log out from Eduplaces.

When a user logs out from Eduplaces, Eduplaces will send a logout request to your application. This is a HTTP POST request that contains the user's ID and a session ID we already sent to your application when the user logged in as part of the ID token. As the request is sent by our authentication server directly to your application and does not involve the user's browser, it is called a Back-Channel Logout.

You can use the session ID to identify the user's session in your application and log them out. Since the logout request does not involve the user's browser, you cannot log out the user by just deleting the session cookie in the user's browser. You have to invalidate the session on your server by other means. This could be deleting the session from your database or setting a flag to indicate that the session is no longer valid.

To support Back-Channel Logout, you need to register a logout callback URL for your application. This is the URL Eduplaces will send the logout request to. It should be a HTTPS URL that is accessible from the internet.

We will send a POST request to this URL with a signed logout_token as the body. The logout_token is a JSON Web Token (JWT) that contains the following claims:

{
  "iss": "https://auth.eduplaces.io",
  "aud": "YOUR_CLIENT_ID",
  "jti": "30e58376-ed53-4c5b-91c1-9fd5517e7f55",
  "sid": "7ddc71e6-e932-43e5-9d86-2ada68a490af",
  "iat": 1692706914,
  "events": {
    "http://schemas.openid.net/event/backchannel-logout": {}
  }
}

The logout_token is signed with the same private key we use to sign ID tokens. You can use the public key from our JWKS endpoint to verify the signature.

The callback URL you register for your application should be able to verify the logout_token and extract the sid claim. The endpoint will receive a POST request with the logout_token as the body.

POST sso/backchannel_logout HTTP/1.1
Host: your.awesome-education.app
Content-Type: application/x-www-form-urlencoded

logout_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE...

After verifying the logout_token, you should invalidate the session with the session ID you received in the sid claim and respond with a HTTP 200 status code.

Front-Channel Logout

If you are not able to implement Back-Channel Logout, you can use Front-Channel Logout as an alternative. Front-Channel Logout is less reliable and secure than Back-Channel Logout, but it is better than nothing.

When a user logs out from Eduplaces, Eduplaces will open the logout URL you registered for your application in the user's browser. We will open your logout URL in a hidden iframe to prevent the user from seeing it. Make sure your logout URL does not contain any sensitive information and is allowed to be embedded in an iframe.

As the request is sent by the user's browser, all cookies for your application will be sent along with the request. You can use the session cookie to identify the user's session in your application and log them out. Usually, you would just delete the session cookie to log the user out.