Help on OIDC logout to terminate session on OpenID Provider
Use-case: 1 tenant = 1 ZITADEL Org, each Org has its own OIDC IdP (ZITADEL as RP, external OpenID Provider)
Environment: Self Hosting
Version: 3.3.0
Stack: K8S on EKS, RDS postgres, microservices, ZITADEL TypeScript login V2
Dear ZITADEL team,
Our setup is:
• ZITADEL instance: https://zitadel.mycompany.com
• Login V2 app (Next.js): https://login.mycompany.com
• PKCE web app: https://app.mycompany.com (OIDC project with Login V2 enabled)
• N Organizations (1 per Tenant)
• Each Org has: the project granted + its own OIDC IdP (e.g., https://idp.thirdparty.net)
• Users provisioned with IdP Links
Login:
User reaches https://app.mycompany.com → redirected to Login V2 → discovers Org → redirected to third-party IdP login page.
After successful auth, flows through : ZITADEL IdP callback → Login V2 callback → back to app PKCE callback.
https://zitadel.mycompany.com/idps/callback?code=...
https://zitadel.mycompany.com/idp/oidc/success?id=...&organization=...&.requestId=oidc_V2_..&user=....
https://app.mycompany.com/callback?code=...&state=...
Until here all good.
Logout:
On the logout, seems we are only terminating the ZITADEL session.
From the app, we call:
This terminates the ZITADEL session and redirects back to the app. But it does not log the user out from the third-party IdP (https://idp.thirdparty.net).
---
👉 Main Question:
Since ZITADEL acts as RP towards the external IdP, are we supposed to manually call the external IdP’s end_session_endpoint ourselves (e.g., via post_logout_redirect or frontend logic after ZITADEL logout)?
Or is there a way for ZITADEL to propagate the logout to the external IdP automatically in this IdP-initiated Login V2 setup?
Has anyone encountered the same use case using Login V2?
I'd appreciate some light here.
Thanks.5 Replies
hey @Arnau In your multi-tenant setup where each organization has its own external OIDC IdP, you would need to manually handle the logout to the external IdP's
end_session_endpoint.
we have a OIDC bacck channel logout issue still open tho https://github.com/zitadel/zitadel/issues/8287
your understanding is good and correct
ZITADEL currently does not automatically propagate logout to external identity providers. The end_session_endpoint terminates sessions within ZITADEL but does not include federated logout functionality for external IdPs in your current setup.GitHub
[Epic]: OIDC Back-Channel Logout · Issue #8287 · zitadel/zitadel
Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or...
Thanks for the quick response @Rajat
Do you have any recommendations on how to implement that in the Login V2 application?
We might be able to achieve something in a new ad-hoc "logged out" route recovering the IdP from the logged out user but not sure if there's any other approach meanwhile back channel logout is not ready yet.
hey @Arnau good morning, you can take a loot at this https://zitadel.com/docs/guides/integrate/login/oidc/logout ZITADEL supports RP-initiated logout through the
end_session_endpoint
Your idea of creating an ad-hoc "logged out" route could work as an interim solution, but you'd need to ensure it properly handles the post-logout redirect flow that ZITADEL expects.
remember that this logout mechanism works today (back channel is s till a wip as you cna see above)Hi @Rajat, with a combination of these implementations:
- An Action on
RetrieveIdentityProviderIntentto handle OpenID Provider response to our backend
- ... a new backend endpoint "given this IdP Intent details, build the IdP end session URL"
- ... a new "logged out" page on the Next.js application that calls this new backend endpoint
- ... and the PKCE app post_logout_redirect_uri now redirects to the new "logged out" Next.js page
We validated we are able to construct the URL targeting the OpenID provider end_session_endpoint with ?id_token_hint=....&post_logout_redirect_uri=...
This worked as expected to terminate the OP session after terminating ZITADEL (RP) session as well.🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1089771102315753532>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀