Front-channel logout

Front-channel logout is a security mechanism used in the context of Single Sign-On (SSO) and Identity and Access Management (IAM) systems to ensure that when a user logs out of one application or service, they are also automatically logged out of all related applications and services in a secure and synchronized manner. It is an OIDC-defined logout mechanism.

Here’s how front-channel logout works:

1. User Initiates Logout: When a user decides to log out of one application within an SSO or IAM system, they typically trigger the logout process by clicking on a “Logout” button or taking a similar action.
2. Logout Request: The application that the user logs out of sends a logout request to the Identity Provider (IdP) or Authentication Service. The IdP is responsible for managing user authentication and maintaining session information.
3. IdP Notifies Other Services: Upon receiving the logout request, the IdP notifies all other applications or services that the user has an active session with. This notification is usually done through the user’s browser using JavaScript or other front-end technologies.
4. User’s Browser Redirects: The user’s browser is instructed to redirect to the logout endpoints of the other applications. This redirection is often referred to as the “front channel.” As the browser redirects to these endpoints, it carries information about the user’s logout status.
5. Applications Handle Logout: Each application that receives the logout request at its endpoint processes the request and logs the user out locally. This typically involves clearing session cookies, destroying user sessions, and performing any other necessary cleanup.
6. Final Redirect: After all applications have completed their logout processes, the user’s browser may be redirected back to a final landing page, such as a login page or a confirmation page, depending on the specific implementation.

Front-channel logout ensures that the user’s session is terminated across all related applications in real-time, providing a consistent and secure user experience. It is important for maintaining the security of SSO and IAM systems, as it prevents unauthorized access to protected resources after a user logs out from any application within the system.

In contrast to front-channel logout, there is also a concept called “back-channel logout,” which involves communication between applications and the IdP without involving the user’s browser.