Skip to main content

OAuth2/OpenID Connect back-channel logout

authentik: 2025.8.0+Preview

Overview

Back-channel logout is a security feature defined in the OpenID Connect Back-Channel Logout 1.0 specification. It allow an OpenID Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session, even without direct user interaction.

warning

Your OAuth application (Relying Party) must explicitly support the OpenID Connect Back-Channel Logout 1.0 specification to properly handle back-channel logout requests. Not all OAuth applications support this feature, so compatibility should be verified.

How back-channel logout works

When a user logs out or their session is otherwise terminated in authentik, the following events occur:

  1. Session Termination: The user's session is ended through the logout flow, an administrative action, or token revocation.
  2. Provider Notification: authentik identifies all OAuth2 providers with active sessions for the user.
  3. Back-Channel Request: HTTP POST requests are sent to each provider's configured back-channel logout URI.
  4. RP Processing: Each Relying Party processes the request, validates the logout token, and terminates the user's local session.

Requirements

Your OAuth application (Relying Party) must:

  • HTTPS: Use HTTPS in production.
  • Accessible: Be reachable from authentik.
  • POST Support: Accept POST requests with form data.

Configuration

Set up back-channel logout

  1. In the Admin interface, navigate to Applications > Providers.
  2. Edit or create an OAuth2 provider.
  3. Enter the back-channel logout endpoint URL provided by your Relying Party in the Back-channel Logout URI field.

Back-channel logout URI format

The back-channel logout URI should be a single URL provided by your Relying Party application. Examples:

  • https://app.example.com/oauth/backchannel-logout
  • https://api.service.com/logout/backchannel
  • https://client.example.org/backchannel-logout

Logout token

The back-channel logout request includes a logout token as form data:

POST /backchannel-logout HTTP/1.1
Host: client.example.org
Content-Type: application/x-www-form-urlencoded

logout_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...