Revision history [back]
 | 1 | initial version |
To logout a user in node-oidc-provider without revoking grants, you can use the Front-Channel Logout (FCL) mechanism provided by the OpenID Connect specification. This allows the client application to notify the IDP that the user has been logged out, without the IDP having to revoke any grants.
To implement FCL in node-oidc-provider, you need to first enable it in your configuration by setting the features.frontchannelLogout property to true. Then, you need to add a route to your application that can receive POST requests from clients that contain a logout_token parameter.
When a user logs out of the client application, it should initiate a GET request to the IDP's authorize endpoint with the prompt=logout parameter. This will trigger the IDP to generate a logout token and redirect the user back to the client application's logout URL with the logout token as a query parameter.
The client application should then POST the logout token to the FCL route on the IDP's server, which will trigger the IDP to broadcast a logout message to all clients that have active sessions with the same user. The clients can then either logout the user immediately or wait until the user initiates a new request and then log them out.
Note that FCL is not a foolproof mechanism, as it relies on the client application to initiate the logout process and may not work in all scenarios (e.g. if the user's browser crashes). In these cases, you may need to fall back to revoking grants as a more reliable way to log out the user.