I'm working on a java Spring Boot project that manages users and sessions internally. It relies on OIDC, AWS Cognito being the Identity Provider, for sign-in and, I would hope, sign-out of the users. What I understand from the OIDC Spec for backchannel logout is that:
I must provide an endpoint for logout in my backend application. I am using Pac4J as my OIDC library in a java Spring Boot application, and have enabled the logout endpoint as per the Pac4J Spring Security documentation
The Identity Provider AWS Cognito should send a request to the logout endpoint if the user is signed out from the Identity Provider
When I receive a valid call (as per the OIDC spec) on this endpoint, I must destroy the user's session with my application.
However, the user being logged out of the Identity Provider (AWS Cognito) does not seem to result in a call to the logout endpoint of my application.
I am unable to find documentation for this backchannel behaviour in the AWS Cognito docs.
As of today I can confirm that with pac4j v6 the OIDC (OP initiated) backchannel logout is supported and works well. The OidcLogoutProcessor is handling it.
See https://www.pac4j.org/docs/callback-endpoint.html