Feature description

Currently, you can initiate the logout from this middleware, which clears the session and does RP-Initiated Logout. But logout could also be initiated from the IdP side (the IdP itself or any other app connected to the IdP directly).

If the IdP supports front-channel logout, then it (or rather the user's browser) calls an endpoint here that should clear the session.

That should be fairly simple to implement. Just some endpoint to delete the cookie. Although the IdP can optionally include iss and sid query parameters and then it is expected to clear the session only if the values match the claims in the ID token.

Note: This works by the IdP rendering an iframe that makes a request to an endpoint here. Of course, the cookie must be included in this request to be able to inspect it and remove it. This works well if your IdP and your apps are on the same top-level domain, so it's a same-site request.

Pitch

I need to be able to log out from the IdP side, which in turn should log me out of my apps.

Doing your homework

• I have searched for similar feature requests and not found a similar one.