Permalink: https://doc.oneportal.fi/x/doIW
There are several ways to do the sign-out, as there are so many different detailed requirements for different kind of applications and services.
One way to sign out the user from your OAuth or OpenID client is to just delete all known access tokens and ID tokens for the user.
Relying Party Initiated Logout
If you want to log the user out of the ID server, you can use the RP-initiated logout function. This is implemented according to the OpenID Connect Session Management 1.0 spefication. You redirect the user to the logout endpoint (by default, https://{idserver}/openid/logout) with the required and optional query parameters. The user is given the opportunity to log out of the ID server and possibly other services as well. Depending on server configuration, client registration and current circumstances, the user may or may not need to interact with the logout user interface. Finally the user is redirected to the original calling site.
Single Sign Out / Single Logout / SLO
Sign-out on the server side has two options. As you can see, we too use terms sign-out and logout interchangeably as a synonym to the same function.
Front-Channel logout
OpenID Connect Front-Channel Logout 1.0 (the standard documentation)
In your OpenID Connect client registration you can specify a Front-Channel Logout URI. Any user logging out through the RP-initiated logout endpoint will also perform the Front-Channel Logout for all clients he has used.
Available since server version 2.8.2.
Back-Channel Logout
OpenID Connect Back-Channel Logout 1.0 (the standard documentation)
In your OpenID Connect client registration you can specify a Back-Channel Logout URI. Any user logging out through the RP-initiated logout endpoint will also perform the Back-Channel Logout for all clients he has used.
Available since server version 2.8.2.