The OpenID Connect Session Management 1.0 specification complements the core specification by defining how to monitor the End-User’s login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.
Somewhere in your Django
MIDDLEWARE_CLASSES = [ ... 'oidc_provider.middleware.SessionManagementMiddleware', ] OIDC_SESSION_MANAGEMENT_ENABLE = True
If you’re in a multi-server setup, you might also want to add
OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY to your settings and set it to some random but fixed string. While authenticated clients have a session that can be used to calculate the browser state, there is no such thing for unauthenticated clients. Hence this value. By default a value is generated randomly on startup, so this will be different on each server. To get a consistent value across all servers you should set this yourself.
Example RP iframe¶
An RP can notify the OP that the End-User has logged out of the site, and might want to log out of the OP as well. In this case, the RP, after having logged the End-User out of the RP, redirects the End-User’s User Agent to the OP’s logout endpoint URL.
This URL is normally obtained via the
end_session_endpoint element of the OP’s Discovery response.
Parameters that are passed as query parameters in the logout request:
- Previously issued ID Token passed to the logout endpoint as a hint about the End-User’s current authenticated session with the Client.
- URL to which the RP is requesting that the End-User’s User Agent be redirected after a logout has been performed.
- OPTIONAL. Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the