Single Logout: end_session doesn't revoke refresh tokens of other applications sharing the same SSO
🏬Self-hosted❓Question❌Unsolved🔗OIDC
Hey, I have a setup with multiple frontend applications using Zitadel as SSO, each with their own OIDC client (opaque access tokens + refresh tokens).
When a user logs out from one application via
What I'd expect: terminating an SSO session should cascade and revoke all refresh tokens issued under that session (matched by
What I've tried:
-
- Backchannel logout — notifies other apps, but doesn't revoke their tokens automatically; each app would need to call
-
Questions:
1. Is there a way to make Zitadel automatically revoke all refresh tokens tied to a terminated SSO session (
2. Is backchannel logout the intended mechanism here, where each app is responsible for revoking its own tokens upon receiving the logout token?
3. Are there any plans to support cascade token revocation on session termination natively?
Thanks!
When a user logs out from one application via
end_sessionid_token_hintWhat I'd expect: terminating an SSO session should cascade and revoke all refresh tokens issued under that session (matched by
sidWhat I've tried:
-
end_sessionid_token_hint- Backchannel logout — notifies other apps, but doesn't revoke their tokens automatically; each app would need to call
/oauth/v2/revoke-
/auth/v1/users/me/tokens/refreshQuestions:
1. Is there a way to make Zitadel automatically revoke all refresh tokens tied to a terminated SSO session (
sid2. Is backchannel logout the intended mechanism here, where each app is responsible for revoking its own tokens upon receiving the logout token?
3. Are there any plans to support cascade token revocation on session termination natively?
Thanks!
