Add OIDC Frontchannel logout docs to IS#5894
Open
piraveena wants to merge 4 commits intowso2:masterfrom
Open
Conversation
|
piraveena paralogarajah seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
Contributor
WalkthroughAdds a new OIDC front-channel logout guide and corresponding MkDocs navigation entry, renames an existing logout nav item, and substantially rewrites the back-channel logout guide into a product-conditional, spec-aligned format. Changes
Sequence Diagram(s)sequenceDiagram
participant Browser
participant RP as Relying Party (Client)
participant IDP as Identity Server
Browser->>IDP: User initiates logout (redirect / logout request)
IDP-->>Browser: Returns front-channel logout HTML (iframe/form) targeting RP logout URL
Browser->>RP: Front-channel logout request (via iframe/form)
RP->>RP: Validate request (optional), terminate session, clear cookies
RP-->>Browser: Response inside iframe (200 OK)
Browser->>IDP: Optionally redirect to post-logout page
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
9 tasks
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md`:
- Around line 31-36: The numbered list in the "front-channel logout flow" is
missing step 4; add or renumber to include a fourth step describing that the
HTML page's embedded iframes load each client's front-channel logout URI which
causes those clients to terminate their local sessions (e.g., insert a new step
4: "Each iframe loads the application's front-channel logout URI, prompting the
application to terminate the user's local session"), or simply renumber the list
so steps are sequential; update the list surrounding the "front-channel logout
flow" text accordingly.
- Around line 12-23: Update the phrasing and punctuation in the Frontchannel
logout configuration section: change "support" to "supports", normalize
"Frontchannel" to "front-channel" throughout the paragraph, rewrite "Click on
your Applications and click Protocol section." to "Click your application, then
go to the Protocol section." and add a period at the end of the final sentence
after "Front channel logout URL". Locate these strings in the text block that
mentions "Front channel logout URL" and the surrounding sentences to apply the
fixes.
- Around line 72-88: The front-channel logout URLs are swapped between
Playground_app1 and Playground_app2; update the Protocol tab entries so each app
points to its own logout endpoint: set Playground_app1's Front channel logout
URL to http://localhost:8080/playground2/fclogout and set Playground_app2's
Front channel logout URL to http://localhost:8080/playground3/fclogout (edit the
"Front channel logout URL" field for the OIDC application entries referenced in
the diff).
en/includes/guides/authentication/oidc/add-front-channel-logout.md
Outdated
Show resolved
Hide resolved
en/includes/guides/authentication/oidc/add-front-channel-logout.md
Outdated
Show resolved
Hide resolved
en/includes/guides/authentication/oidc/add-front-channel-logout.md
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Fix all issues with AI agents
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md`:
- Around line 28-30: Replace the incorrect product name "Asgardeo Console" with
the proper product-specific console name used in this WSO2 Identity Server guide
(e.g., "WSO2 Identity Server Console" or "Management Console") in the lines
referencing the console under the "Protocol" tab and "Logout URLs" so the
instructions ("Go to the Protocol tab, and under Logout URLs, enter the Back
channel logout URL") match the WSO2 context.
- Around line 46-47: The issuer string "iss":
"{{product_url_sample}}oauth2/token" is missing a separator; update the value to
include a slash between the variable and the path so it reads "iss":
"{{product_url_sample}}/oauth2/token" (i.e., insert "/" before "oauth2/token")
to prevent concatenation of the base URL and path.
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md`:
- Around line 17-21: In step 5 of the OIDC front-channel logout guide, fix the
typo and singularize the noun: change "Upon receniving the logout request, each
client application validates the requests and proceeds to invalidate the
corresponding user session." to "Upon receiving the logout request, each client
application validates the request and proceeds to invalidate the corresponding
user session." (edit the Step 5 sentence in add-front-channel-logout.md).
- Around line 46-56: Replace the raw placeholders and fix the missing path
separator in the sample URLs: change product_url_format and product_url_sample
to the template variables {{ product_url_format }} and {{ product_url_sample }}
respectively, and ensure the path is "/oauth2/token" (add the missing slash) in
both the "Logout request from {{ product_name }}" and "Sample Logout request
from {{ product_name }}" examples so the URLs read like "http://myapp.com?iss={{
product_url_format }}/oauth2/token&sid={sid_value}" and "http://myapp.com?iss={{
product_url_sample }}/oauth2/token&sid=15043ffc-****-****-****-9b107f7da38c".
en/includes/guides/authentication/oidc/add-back-channel-logout.md
Outdated
Show resolved
Hide resolved
en/includes/guides/authentication/oidc/add-back-channel-logout.md
Outdated
Show resolved
Hide resolved
en/includes/guides/authentication/oidc/add-front-channel-logout.md
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md`:
- Around line 36-41: The in-page anchor is incorrect: update the markdown link
used in the sentence containing "register this endpoint with {{product_name}}"
so the fragment matches the actual heading "Configure back-channel logout URL"
(change the href from "#configure-back-channel-logout" to
"#configure-back-channel-logout-url") to avoid the broken link.
---
Duplicate comments:
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md`:
- Around line 17-21: Step 5 uses the plural "requests" incorrectly; update the
sentence that currently reads "Upon receiving the logout request, each client
application validates the requests and proceeds to invalidate the corresponding
user session." to use singular "request" (i.e., "validates the request") so it
reads "Upon receiving the logout request, each client application validates the
request and proceeds to invalidate the corresponding user session." Ensure only
that word is changed in the step text.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive documentation for OIDC front-channel logout and updates the existing back-channel logout documentation to align with OpenID Connect specifications.
Changes:
- Added new front-channel logout guide covering concepts, configuration steps, and cross-site cookie considerations
- Refactored back-channel logout documentation to focus on protocol flow, client registration, and token validation requirements rather than step-by-step testing
- Updated navigation structure to clearly distinguish between RP-initiated logout, back-channel logout, and front-channel logout
Reviewed changes
Copilot reviewed 4 out of 8 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
en/includes/guides/authentication/oidc/add-front-channel-logout.md |
New documentation covering front-channel logout flow, configuration, and browser cookie limitations |
en/includes/guides/authentication/oidc/add-back-channel-logout.md |
Refactored to provide spec-aligned overview of back-channel logout with token validation details |
en/identity-server/next/mkdocs.yml |
Updated navigation to separate RP-initiated logout and front-channel logout entries |
en/identity-server/next/docs/guides/authentication/oidc/add-front-channel-logout.md |
New file including the front-channel logout guide with product-specific variables |
Comment on lines
29
to
31
| To configure front-channel logout URL: | ||
|
|
||
| Follow the steps below to register the front-channel endpoint of your application with {{product_name}}. |
There was a problem hiding this comment.
Line 29 appears to be an incomplete heading that is immediately followed by redundant content on line 31. Remove line 29 or consolidate it with line 31 to eliminate the duplicate instruction.
| ## Configure back-channel logout | ||
| 1. The client application initiates a user logout. | ||
| 2. {{ product_name }} identifies all the client applications associated with the user's session. | ||
| 3. {{ product_name }} generates a logout token, a special (JSON Web Token) JWT containing specific claims and sends it with a logout request to the logout endpoints of all the client applications. |
There was a problem hiding this comment.
The parenthetical '(JSON Web Token)' is placed after 'special' instead of after 'JWT'. Move it to follow 'JWT' for clarity: 'a special JWT (JSON Web Token) containing specific claims'.
Suggested change
| 3. {{ product_name }} generates a logout token, a special (JSON Web Token) JWT containing specific claims and sends it with a logout request to the logout endpoints of all the client applications. | |
| 3. {{ product_name }} generates a logout token, a special JWT (JSON Web Token) containing specific claims and sends it with a logout request to the logout endpoints of all the client applications. |
| 2. The authorization server identifies all client applications associated with the user's session. | ||
| 3. The authorization server generates a logout token, a special JWT containing specific claims, and sends it with a logout request to the logout endpoints of the identified client applications. | ||
| 4. Upon receiving the logout token, each client application validates it and then invalidates the corresponding user session. | ||
| Back-channel logout is a mechanism defined in the OpenID Connect (OIDC) specification that allows users to be securely logged out of client applications without any user interaction. Unlike front-channel logout, which relies on browser-based redirects and requires the user’s browser to visit each client application, back-channel logout happens entirely through server-to-server communication between the authorization server and the client applications. |
Contributor
There was a problem hiding this comment.
Suggested change
| Back-channel logout is a mechanism defined in the OpenID Connect (OIDC) specification that allows users to be securely logged out of client applications without any user interaction. Unlike front-channel logout, which relies on browser-based redirects and requires the user’s browser to visit each client application, back-channel logout happens entirely through server-to-server communication between the authorization server and the client applications. | |
| Back-channel logout, defined in the OpenID Connect (OIDC) specification, allows logging out of client applications without user interaction. Unlike front-channel logout that needs the user to visit each client application, back-channel logout happens entirely through server-to-server communication between the authorization server and the client applications. |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (3)
en/includes/guides/authentication/oidc/add-back-channel-logout.md (1)
13-13: OIDC re-expanded after first use on line 5.Per coding guidelines, once an acronym is defined, use only the acronym and do not redefine it within the same document. Also, the phrasing is inconsistent with the parallel front-channel guide, which uses "The front-channel logout flow works as follows."
✏️ Proposed fix
-The underlying message flow of OpenID Connect (OIDC) back-channel logout happens as follows: +The back-channel logout flow works as follows:As per coding guidelines, "after definition, use the acronym consistently and do not redefine within the same document."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md` at line 13, Replace the sentence "The underlying message flow of OpenID Connect (OIDC) back-channel logout happens as follows:" with a concise, parallel phrasing that uses the already-defined acronym only (e.g., "The back-channel logout flow works as follows:"), removing the repeated expansion of "OpenID Connect" and ensuring consistency with the front-channel guide; update the line that currently contains that full phrase (search for the string "The underlying message flow of OpenID Connect (OIDC) back-channel logout happens as follows:") to the new wording so OIDC is not redefined in the same document.en/includes/guides/authentication/oidc/add-front-channel-logout.md (2)
68-68: Remove the<br>HTML tag.A blank line is sufficient for vertical spacing in Markdown; the raw HTML element is unnecessary.
✏️ Proposed fix
-<br> - {% endif %}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md` at line 68, Remove the raw HTML break tag "<br>" from the Markdown file (add-front-channel-logout.md) and replace it with a single blank line for vertical spacing so the document uses plain Markdown spacing instead of the HTML element.
24-33: Duplicate and inconsistent prerequisite.The introductory paragraph (line 26) already tells the reader to register an application, and then the
Before you beginnote (line 33) repeats the same requirement — but with a different link (/guides/applications/vs/guides/applications/register-oidc-web-app/). Keep only theBefore you beginnote and trim the paragraph.As per coding guidelines, avoid unnecessary repetition in documentation.
✏️ Proposed fix
-If your application supports OIDC front-channel logout, you can configure the logout URL of the application in the Console. That endpoint can listen to OIDC front-channel logout requests from {{ product_name }}, and terminate the application's sessions. - -To get started, you need to have an application registered in {{ product_name }}. If you don't already have one, [register a web app with OIDC]({{base_path}}/guides/applications/register-oidc-web-app/). - - -Follow the steps below to register the front-channel endpoint of your application with {{product_name}}. +If your application supports OIDC front-channel logout, configure the logout URL so the endpoint can receive front-channel logout requests from {{ product_name }} and terminate the application's sessions. !!! note "Before you begin" [Register your OIDC application]({{base_path}}/guides/applications/) in {{product_name}}.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md` around lines 24 - 33, Remove the duplicated prerequisite in the introductory paragraph that tells users to register an application and instead keep the "Before you begin" note; delete the sentence "To get started, you need to have an application registered in {{ product_name }}. If you don't already have one, [register a web app with OIDC]({{base_path}}/guides/applications/register-oidc-web-app/)." from the main paragraph and ensure the remaining "Before you begin" note (the admonition starting with "Register your OIDC application") remains and points to the intended registration page (use /guides/applications/register-oidc-web-app/ if you want the specific OIDC web app register link).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md`:
- Line 5: Revise the inaccurate sentence about front-channel logout in the
"Back-channel logout" paragraph: replace the claim that front-channel logout
"needs the user to visit each client application" with a precise description
that front-channel logout delivers logout notifications via browser-embedded
mechanisms (e.g., iframes or front-channel logout endpoints) using the user's
browser to propagate the logout to clients, rather than server-to-server
communication; update the phrasing around "front-channel logout" and
"back-channel logout" to clearly contrast server-to-server back-channel with
browser-mediated front-channel delivery.
- Around line 1-3: The H1 heading "Implement back-channel logout" is placed
before the product conditional tag `{% if product_name == "WSO2 Identity Server"
%}`, causing an orphaned heading for non-IS products; move the heading so it is
inside the `{% if product_name == "WSO2 Identity Server" %}` block (i.e., place
`# Implement back-channel logout` immediately after the `{% if ... %}` line and
before the corresponding `{% endif %}`) to ensure the heading is only rendered
for WSO2 Identity Server.
- Around line 59-67: Replace the phrase "JWT token validation" with "JWT
validation" (or "logout token validation") to avoid redundancy, and wrap the
backchannel logout event URI in backticks so it appears as
`http://schemas.openid.net/event/backchannel-logout`; ensure the text now reads
something like "Your client application must perform JWT validation as defined
in the OIDC back-channel logout specification" and that the URI is formatted as
code.
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md`:
- Around line 57-65: The admonition block titled "Cross-site cookie
considerations" is over-indented so its body renders as a code block; reduce the
block indentation to four spaces (so the admonition header and body are at the
correct indent level) and move the bold heading into the admonition header
instead of inside the body; also change the inline italic label
`*Recommendations:*` to bold `**Recommendations:**` in that block; update the
text inside the note block (the GET/iframe explanation and two bullet
recommendations) accordingly so they render as a normal MkDocs note under the
admonition.
---
Duplicate comments:
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md`:
- Line 40: Update the broken in-page anchor by changing the link target text
`#configure-back-channel-logout` to match the actual heading anchor
`#configure-back-channel-logout-url` referenced by the heading `## Configure
back-channel logout URL`; locate the link in the sentence starting "You need to
[register this endpoint with {{product_name}}](`#configure-back-channel-logout`)"
and replace the anchor portion so the link points to
`#configure-back-channel-logout-url`.
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md`:
- Line 21: Change the plural "requests" to singular "request" in the sentence
starting "Upon receiving the logout request..." so it reads "Upon receiving the
logout request, each client application validates the request and proceeds to
invalidate the corresponding user session." This edits the sentence text in the
OIDC front-channel logout guide to keep number agreement consistent.
---
Nitpick comments:
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md`:
- Line 13: Replace the sentence "The underlying message flow of OpenID Connect
(OIDC) back-channel logout happens as follows:" with a concise, parallel
phrasing that uses the already-defined acronym only (e.g., "The back-channel
logout flow works as follows:"), removing the repeated expansion of "OpenID
Connect" and ensuring consistency with the front-channel guide; update the line
that currently contains that full phrase (search for the string "The underlying
message flow of OpenID Connect (OIDC) back-channel logout happens as follows:")
to the new wording so OIDC is not redefined in the same document.
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md`:
- Line 68: Remove the raw HTML break tag "<br>" from the Markdown file
(add-front-channel-logout.md) and replace it with a single blank line for
vertical spacing so the document uses plain Markdown spacing instead of the HTML
element.
- Around line 24-33: Remove the duplicated prerequisite in the introductory
paragraph that tells users to register an application and instead keep the
"Before you begin" note; delete the sentence "To get started, you need to have
an application registered in {{ product_name }}. If you don't already have one,
[register a web app with
OIDC]({{base_path}}/guides/applications/register-oidc-web-app/)." from the main
paragraph and ensure the remaining "Before you begin" note (the admonition
starting with "Register your OIDC application") remains and points to the
intended registration page (use /guides/applications/register-oidc-web-app/ if
you want the specific OIDC web app register link).
Comment on lines
1
to
+3
| # Implement back-channel logout | ||
|
|
||
| Back-channel logout allows users to be logged out from a client application through direct communication of logout requests between the client application and the authorization server. | ||
|
|
||
| ## How it works | ||
|
|
||
| The underlying message flow of OpenID Connect (OIDC) back-channel logout is as follows: | ||
| {% if product_name == "WSO2 Identity Server" %} |
Contributor
There was a problem hiding this comment.
H1 heading falls outside the product conditional, producing an orphaned heading for non-IS products.
# Implement back-channel logout is before {% if product_name == "WSO2 Identity Server" %}, so any product rendering this include other than WSO2 Identity Server receives the heading with no body content. The front-channel logout file correctly places everything inside the conditional. Move line 1 inside the {% if %} block.
✏️ Proposed fix
-# Implement back-channel logout
-
{% if product_name == "WSO2 Identity Server" %}
+# Implement back-channel logout
+📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| # Implement back-channel logout | |
| Back-channel logout allows users to be logged out from a client application through direct communication of logout requests between the client application and the authorization server. | |
| ## How it works | |
| The underlying message flow of OpenID Connect (OIDC) back-channel logout is as follows: | |
| {% if product_name == "WSO2 Identity Server" %} | |
| {% if product_name == "WSO2 Identity Server" %} | |
| # Implement back-channel logout | |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md` around
lines 1 - 3, The H1 heading "Implement back-channel logout" is placed before the
product conditional tag `{% if product_name == "WSO2 Identity Server" %}`,
causing an orphaned heading for non-IS products; move the heading so it is
inside the `{% if product_name == "WSO2 Identity Server" %}` block (i.e., place
`# Implement back-channel logout` immediately after the `{% if ... %}` line and
before the corresponding `{% endif %}`) to ensure the heading is only rendered
for WSO2 Identity Server.
| 2. The authorization server identifies all client applications associated with the user's session. | ||
| 3. The authorization server generates a logout token, a special JWT containing specific claims, and sends it with a logout request to the logout endpoints of the identified client applications. | ||
| 4. Upon receiving the logout token, each client application validates it and then invalidates the corresponding user session. | ||
| Back-channel logout, defined in the OpenID Connect (OIDC) specification, allows logging out of client applications without user interaction. Unlike front-channel logout that needs the user to visit each client application, back-channel logout happens entirely through server-to-server communication between the authorization server and the client applications. |
Contributor
There was a problem hiding this comment.
Imprecise description of front-channel logout mechanism.
Front-channel logout does not require the user to visit each client application; it delivers logout notifications via browser-embedded iframes. Consider revising to reflect this accurately.
✏️ Proposed fix
-Back-channel logout, defined in the OpenID Connect (OIDC) specification, allows logging out of client applications without user interaction. Unlike front-channel logout that needs the user to visit each client application, back-channel logout happens entirely through server-to-server communication between the authorization server and the client applications.
+Back-channel logout, defined in the OpenID Connect (OIDC) specification, lets the authorization server terminate client application sessions without user interaction. Unlike front-channel logout, which delivers logout notifications through browser iframes and depends on browser cookie policies, back-channel logout uses direct server-to-server communication between the authorization server and the client applications.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md` at line 5,
Revise the inaccurate sentence about front-channel logout in the "Back-channel
logout" paragraph: replace the claim that front-channel logout "needs the user
to visit each client application" with a precise description that front-channel
logout delivers logout notifications via browser-embedded mechanisms (e.g.,
iframes or front-channel logout endpoints) using the user's browser to propagate
the logout to clients, rather than server-to-server communication; update the
phrasing around "front-channel logout" and "back-channel logout" to clearly
contrast server-to-server back-channel with browser-mediated front-channel
delivery.
Comment on lines
+59
to
+67
| Your client application must perform JWT token validation as defined in the [OIDC back-channel logout specification](https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation). A summary of the validations is below. | ||
|
|
||
| 5. Enter the credentials of your user account and click Sign In. You will now receive an ID Token. | ||
| - `iss`: Must match your trusted issuer. | ||
|
|
||
| 6. Access the **Playground_app2** application using the follwoing URL: http://localhost:8080/playground3/ | ||
| - `aud`: Must match your application's client ID. | ||
|
|
||
| 7. Repeat steps 2-5 for **Playground_app2** application with the following values: | ||
| - `iat` and `exp`: Must be within a valid timeframe. | ||
|
|
||
| | Field name | Value | | ||
| |-------------|-------| | ||
| | **Authorization Grant Type** | `Implicit` | | ||
| | **Client ID** | The OAuth Client ID received when registering the Playground_app2 in WSO2 Identity Server. | | ||
| | **Callback URL** | `http://localhost:8080/playground3/oauth2client` | | ||
| | **Authorize Endpoint** | `https://localhost:9443/oauth2/authorize` | | ||
| - `events`: Must contain the http://schemas.openid.net/event/backchannel-logout claim. |
Contributor
There was a problem hiding this comment.
Two minor issues in the token validation guidance.
-
Line 59 — "JWT token validation" is redundant: JWT (defined on line 17 as JSON Web Token) already contains "token". Use "JWT validation" or "logout token validation".
-
Line 67 — The URI
http://schemas.openid.net/event/backchannel-logoutappears in prose without backtick formatting. Per coding guidelines, URLs and code-like values must be in backticks.
✏️ Proposed fix
- Your client application must perform JWT token validation as defined in the [OIDC back-channel logout specification](https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation). A summary of the validations is below.
+ Your client application must perform JWT validation as defined in the [OIDC back-channel logout specification](https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation). A summary of the validations is below.- - `events`: Must contain the http://schemas.openid.net/event/backchannel-logout claim.
+ - `events`: Must contain the `http://schemas.openid.net/event/backchannel-logout` claim.As per coding guidelines, "Format code elements, file names, paths, config keys, commands, and URLs in backticks."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@en/includes/guides/authentication/oidc/add-back-channel-logout.md` around
lines 59 - 67, Replace the phrase "JWT token validation" with "JWT validation"
(or "logout token validation") to avoid redundancy, and wrap the backchannel
logout event URI in backticks so it appears as
`http://schemas.openid.net/event/backchannel-logout`; ensure the text now reads
something like "Your client application must perform JWT validation as defined
in the OIDC back-channel logout specification" and that the URI is formatted as
code.
Comment on lines
+57
to
+65
| !!! note | ||
| **Cross-site cookie considerations** | ||
|
|
||
| Front-channel logout uses GET requests delivered via iframes to notify client domains. While GET requests in iframes have good browser support, modern browsers restrict third-party cookies and cross-site tracking, which can cause logout to fail. | ||
|
|
||
| *Recommendations:* | ||
|
|
||
| - Prefer [back-channel logout]({{base_path}}/guides/authentication/oidc/add-back-channel-logout/) for reliable server-to-server session termination, as it does not depend on browser cookie policies. | ||
| - Consider hosting applications on subdomains of a shared parent domain (for example, `app1.example.com` and `app2.example.com`) so cookies can use `Domain=.example.com` and become first-party. |
Contributor
There was a problem hiding this comment.
Admonition content at 8-space indent will render as a code block.
MkDocs admonition content follows on the next line, indented by four spaces. The note body here is indented by eight spaces. Indented blocks are generally treated as code blocks in Markdown, and to have indented code blocks under an admonition you must indent twice. That means all the text, the bold heading, and the bullet points will render as a raw preformatted block rather than formatted note content. Reduce the indentation to four spaces and move the title into the admonition header. Also replace *Recommendations:* (italic) with **Recommendations:** (bold).
✏️ Proposed fix
-!!! note
- **Cross-site cookie considerations**
-
- Front-channel logout uses GET requests delivered via iframes to notify client domains. While GET requests in iframes have good browser support, modern browsers restrict third-party cookies and cross-site tracking, which can cause logout to fail.
-
- *Recommendations:*
-
- - Prefer [back-channel logout]({{base_path}}/guides/authentication/oidc/add-back-channel-logout/) for reliable server-to-server session termination, as it does not depend on browser cookie policies.
- - Consider hosting applications on subdomains of a shared parent domain (for example, `app1.example.com` and `app2.example.com`) so cookies can use `Domain=.example.com` and become first-party.
+!!! note "Cross-site cookie considerations"
+
+ Front-channel logout uses GET requests delivered via iframes to notify client domains. While GET requests in iframes have good browser support, modern browsers restrict third-party cookies and cross-site tracking, which can cause logout to fail.
+
+ **Recommendations:**
+
+ - Prefer [back-channel logout]({{base_path}}/guides/authentication/oidc/add-back-channel-logout/) for reliable server-to-server session termination, as it does not depend on browser cookie policies.
+ - Consider hosting applications on subdomains of a shared parent domain (for example, `app1.example.com` and `app2.example.com`) so cookies can use `Domain=.example.com` and become first-party.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@en/includes/guides/authentication/oidc/add-front-channel-logout.md` around
lines 57 - 65, The admonition block titled "Cross-site cookie considerations" is
over-indented so its body renders as a code block; reduce the block indentation
to four spaces (so the admonition header and body are at the correct indent
level) and move the bold heading into the admonition header instead of inside
the body; also change the inline italic label `*Recommendations:*` to bold
`**Recommendations:**` in that block; update the text inside the note block (the
GET/iframe explanation and two bullet recommendations) accordingly so they
render as a normal MkDocs note under the admonition.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Part of wso2/product-is#26413
Frontchannel related docs
Backchannel related docs
Test environment
Security checks
Summary by CodeRabbit