Sign-out notifications
Be notified when customers sign out of Pliro.
Last updated
Be notified when customers sign out of Pliro.
Last updated
When a customer signs out of Pliro by clicking the sign out button on their account page, you may also want to sign them out of your website. This can be done using :
If you register a back-channel logout URI for your OAuth application in the Pliro dashboard, Pliro will notify your website using an HTTP POST request when one of your customers sign out:
To prevent abuse and to communicate which customer to sign out, the request includes a logout_token
containing information about the customer in the form of a . Before signing a customer out of your website you must decode and verify the logout token using the following steps:
Decode the logout token (e.g., using one of ) and verify its signature using .
Check that the iss
claim is equal to your Pliro page URL (e.g., https://example-publication.plirotest.page
.
Check that the aud
claim is equal to your OAuth application's client ID.
Check that the Unix timestamp in the iat
(issued at) claim is in the past. You may also want to check that the token isn't too old (e.g., 5 minutes).
Check that the sub
claim is present. This claim contains the customer's Pliro ID.
Check that the sid
claim is present. This claim contains the customer's Pliro session ID.
Check that the events
claim include the key http://schemas.openid.net/event/backchannel-logout
.
Check that there is no nonce
claim.
Check that the token's typ
header is set to logout+jwt
.
If any of these checks fail, you should respond with an HTTP 400 status code and not process the logout request.
If the the checks pass you may proceed to end the session corresponding to the Pliro session ID in the sid
claim and respond with an HTTP 200 or 204 status code.
If ending the session fails, you should respond with an HTTP 400 status code.