Sign-out
There are several ways to do the sign-out, as there are so many different detailed requirements for different kind of applications and services.
One way to sign out the user from your OAuth or OpenID client is to just delete all known access tokens and ID tokens for the user.
Relying Party Initiated Logout
If you want to log the user out of the ID server, you can use the
RP-initiated logout function. This is implemented according to the
OpenID Connect Session Management 1.0
specification. You redirect the user to the logout endpoint (by default,
https://{idserver}/openid/logout
)
with the required and optional query parameters. The user is given the
opportunity to log out of the ID server and possibly other services as
well. Depending on server configuration, client registration and current
circumstances, the user may or may not need to interact with the logout
user interface. Finally the user is redirected to the original calling
site.
Single Sign Out / Single Logout / SLO
Sign-out on the server side has two options. As you can see, we too use terms sign-out and logout interchangeably as a synonym to the same function.
Front-Channel logout
OpenID Connect Front-Channel Logout 1.0
In your OpenID Connect client registration you can specify a Front-Channel Logout URI. Any user logging out through the RP-initiated logout endpoint will also perform the Front-Channel Logout for all clients he has used.
Back-Channel Logout
OpenID Connect Back-Channel Logout 1.0
In your OpenID Connect client registration you can specify a Back-Channel Logout URI. Any user logging out through the RP-initiated logout endpoint will also perform the Back-Channel Logout for all clients he has used.