Session logout

When you’re using session authentication and the authorization code flow, you may also want to implement the ability for users to log out of their sessions.

When a user initiates a logout, the OpenID Connect plugin can also do the following:

  • Invalidate the user session
  • Revoke the token
  • Provide relying party (RP) initiated logout

Note: Setting config.client_auth to client_secret_post lets you easily test the connection to your IdP, but we recommend using a more secure auth method in production. You can use any of the supported client auth methods.

Prerequisites

  • A configured identity provider (IdP)

Environment variables

  • ISSUER: The issuer authentication URL for your IdP. For example, if you’re using Keycloak as your IdP, the issuer URL looks like this: http://localhost:8080/realms/example-realm

  • CLIENT_ID: The client ID that the plugin uses when it calls authenticated endpoints of the IdP.

  • CLIENT_SECRET: The client secret needed to connect to your IdP.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: openid-connect
    config:
      issuer: ${{ env "DECK_ISSUER" }}
      client_id:
      - ${{ env "DECK_CLIENT_ID" }}
      client_secret:
      - ${{ env "DECK_CLIENT_SECRET" }}
      client_auth:
      - client_secret_post
      auth_methods:
      - password
      - session
      logout_uri_suffix: "/logout"
      logout_methods:
      - POST
      logout_revoke: true
Copied to clipboard!

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!