Skip to content
Duende Software Docs
We just launched Duende IdentityServer v7.2.0 and BFF v3.0. Check it out!

Client Notifications

Client notifications are essential for ensuring applications are informed about user sign-out events in a secure and efficient manner.

Notifying Clients That The User Has Signed Out

Section titled “Notifying Clients That The User Has Signed Out”

As part of the logout process you will want to ensure client applications are informed that the user has signed out.

This is done by sending a notification to an endpoint provided by each client application. Depending on your architecture, there are three supported techniques to call these endpoints:

  • front-channel notifications via the browser
  • back-channel notifications via server-side call
  • a PostMessage-based notification for JavaScript clients

Regardless which technique you are using, Duende IdentityServer keeps track of the client applications involved with the current user session and provides helpers and automated ways of invoking the notification mechanisms.

Front-channel Server-side Clients

Section titled “Front-channel Server-side Clients”

To sign the user out of the server-side client applications via the front-channel spec, the “logged out” page in IdentityServer must render an <iframe> for each client that points to the corresponding notification endpoint at the client.

Clients that wish to be notified must have the FrontChannelLogoutUri configuration value set. IdentityServer tracks which clients the user has signed in to, and provides an API called GetLogoutContextAsync on the IIdentityServerInteractionService. This API returns a LogoutRequest object with a SignOutIFrameUrl property that your logged out page must render into an <iframe>.

See the Quickstart UI Logout page for an example.

Back-channel Server-side Clients

Section titled “Back-channel Server-side Clients”

To sign the user out of the server-side client applications via the back-channel the IBackChannelLogoutService service can be used. IdentityServer will automatically use this service when your logout page removes the user’s authentication cookie via a call to HttpContext.SignOutAsync.

Clients that wish to be notified must have the BackChannelLogoutUri configuration value set.

Implementing Back-channel Logout In .NET Applications

Section titled “Implementing Back-channel Logout In .NET Applications”

.NET does not have native support for back-channel logout notification. We do provide a sample, though. Alternatively, if you are using our BFF framework, back-channel logout is already implemented for you.

Back-channel logout notifications are logout tokens as specified by OpenID Connect Back-Channel Logout 1.0. Beginning in v6.3, IdentityServer sets the typ header of the logout token to logout+jwt to comply with the final version of the specification. The LogoutTokenJwtType option can override this behavior.

Browser-based JavaScript Clients

Section titled “Browser-based JavaScript Clients”

There is nothing special you need to do to notify these clients that the user has signed out.

The clients, though, must perform monitoring on the check_session_iframe, and this is implemented by spec compliant client libraries, e.g. the oidc-client JavaScript library.