Logout Token Validation Support?

[rickwang7712]

According to: https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation I think if there is a function like func (v *IDTokenVerifier) Verify for Logout Token Validation would be nice... Or is there already a function that I could call?

[ericchiang]

This package currently doesn't implement logout token logic. It'd be helpful to know what providers implement this and what real-world use cases look like.

[rickwang7712]

Ory Hydra implements OpenID Connect Back-Channel Logout 1.0 which has logout token logic. For my use case, I follow the back-channel spec to implement remote logout feature(ex. use desktop webportal to logout mobile device).

[rickwang7712]

Sorry, last time I gave an unusual example. I would like to update. backchannel-logout is one of the features which support single-sign-out, the other one is frontchannel-logout. If a browser has multiple RPs login, and after one RP requests logout, the server will emit backchannel-logout api to the rest of the RPs which are related with the authentication session(the cookie which helps achieve single-sign-on).

There are many oidc server implementation supports this feature. For example:

• ory-hydra
• node-oidc-provider
• connect2id

I know google's oidc server hasn't support this feature yet, but this project doesn't restrict its users to google's oidc service only, right?

To solve the logout validation problem I have already had solution based on this project, may I make contribution to here?

[ericchiang]

Since those specs are still a Draft we'd probably want to wait before adding new APIs to this package.

You should be able to use most of the Verify method to validate a logout token. Then use Claims() to pull out the events and sid claims. Does that satisfy your use case?

[lwj5]

@ericchiang now that the spec is final, will the PR be reviewed or considered?