DEV Community

Cover image for Front-Channel vs Back-Channel Logout in OpenID Connect (OIDC)
Sohil Lalakiya
Sohil Lalakiya

Posted on

Front-Channel vs Back-Channel Logout in OpenID Connect (OIDC)

#webdev #authentication #oidc #auth

In modern authentication systems built on OpenID Connect (OIDC), we implement Single Sign-On (SSO) correctly, but we do not focus enough on the logout part. However, managing sessions across relying parties is just as important as the login itself.

Logout is not just about ending a session in one application — it is about complete session termination across all relying parties (RPs).

OIDC provides two standardized logout implementation mechanisms:

  1. Front-Channel Logout (OpenID Connect Front-Channel Logout 1.0)
  2. Back-Channel Logout (OpenID Connect Back-Channel Logout 1.0)

Both are official specifications designed to solve the single logout problem, and understanding the differences between them is critical for building a secure SSO system.

(1) Front-Channel Logout

Front-Channel Logout is defined in the OpenID Connect Front-Channel Logout 1.0 specification. It is a browser-based logout mechanism.

How it works:

  • User or RP initiates logout
  • RP redirects the user to the IdP’s end_session_endpoint with an ID token
  • IdP validates the ID token and clears its session
  • IdP loads the registered logout URLs of all RPs using the browser (typically via hidden iframes)

Key characteristics:

  • Uses the user agent (browser) as the communication medium
  • Relies on HTTP redirects/iframes
  • Requires a registered front-channel logout URL

Pros:

  • Easy to implement
  • No backend-to-backend communication needed

Cons:

  • Logout is not guaranteed because iframes can fail or be blocked

(2) Back-Channel Logout

Back-Channel Logout is a server-to-server logout mechanism.

How it works:

  • User or RP initiates logout
  • IdP validates the user's session
  • IdP generates a signed logout token (JWT) and sends it to each RP
  • RP validates the token and terminates the user session

Key characteristics:

  • Uses HTTP POST (server-to-server communication)
  • Requires a back-channel logout URI
  • The logout token is a JWT and contains the following claims:
  1. iss (Issuer)
  2. sub (Subject / User)
  3. aud (Client ID)
  4. sid (Session)
  5. events (contains logout event claim)

Pros:

  • Not affected by browser restrictions and works even if the browser is closed
  • Logout delivery is guaranteed

Cons:

  • Slightly complex to implement

When should you use each?

Use Front-Channel Logout when:

  • You have a simple application ecosystem
  • Quick implementation is needed
  • Security is not critical

Use Back-Channel Logout when:

  • You are building an enterprise-grade system
  • Security is critical
  • You need guaranteed logout

Top comments (0)