When you use OpenID Connect as the identity provider, WSO2 Identity Server allows you to specify a logout URL so that an application can redirect to a particular page after the relying party (RP) sends an OpenID Connect (OIDC) logout request.
Follow the steps below to send an OIDC logout request:
An OIDC logout request is generally a GET request (i.e., you construct a URL with the necessary parameters and perform a redirection).
However, there can be instances where you cannot use a GET request as the OIDC logout request. For example, when the generated
id_token exceeds the maximum character limit of the URL, and the browser truncates the URL. In such instances, you can send the logout request as a POST request using an automatically submitting HTML form.
To understand how you can send an OIDC logout request as a POST request, see Sending a POST request as the OIDC logout request.
Download and install WSO2 Identity Server. For detailed information on how to install WSO2 IS, see Installing the Product.
Access the Management Console via
- Navigate to Service Providers > List and Edit the service provider that you created for the OAuth2 application.
Edit the Callback URL field and enter a logout URL along with the callback URL that you defined when you created the service provider.
You can specify multiple callback URLs using a regex pattern as follows:
Use the following cURL command to retrieve the
id_tokenusing the client id, client secret, and authorization code:
Use the retrieved
id_tokenin the following URL to logout from the identity provider and redirect to a URL in the RP.
Following are the parameters you need to specify in the URL:
Parameter Description Required
The OIDC logout endpoint URL. Yes
id_tokenreturned by the identity provider.
The URL to be redirected to when logging out. The value defined here should be the same as the
callbackURIof the client application.
If you do not specify a value for the
post_logout_redirect_uriparameter, users are redirected to the default logout success page of WSO2 Identity Server.
The parameter passed from the application to the identity provider to maintain any state information. This is used to correlate the logout requests and responses. If the state parameter is defined as
state_1, the logout request and response both have
state_1in them. This makes it easy for the client to identify the request and responses.
Sending a POST request as the OIDC logout request
Let's take a look at a sample scenario to understand how to send an OIDC logout request as a POST request.
Consider a scenario where a service provider builds an HTML page with the required parameters to render a page in a browser. This scenario requires an OIDC logout request sent as a POST request to the logout endpoint.
Following is a sample HTML form with the parameters you need to specify when you send an OIDC logout request as a POST request:
For descriptions of all the parameters that you need to specify in the POST request, see the parameter descriptions given above.
Following is a sample HTML form with sample parameter values required to render the page in a browser: