Sign-out notifications
Be notified when customers sign out of Pliro.
When a customer signs out of Pliro by clicking the sign out button on their account page, you may also want to sign them out of your website. This can be done using the OpenID Connect Back-Channel Logout mechanism:
If you register a back-channel logout URI for your OAuth application in the Pliro dashboard, Pliro will notify your website using an HTTP POST request when one of your customers sign out:
To prevent abuse and to communicate which customer to sign out, the request includes a logout_token containing information about the customer in the form of a JSON Web Token. Before signing a customer out of your website you must decode and verify the logout token using the following steps:
Decode the logout token (e.g., using one of the many existing JWT libraries) and verify its signature using Pliro's signing keys.
Check that the
issclaim is equal to your Pliro page URL (e.g.,https://example-publication.plirotest.page.Check that the
audclaim is equal to your OAuth application's client ID.Check that the Unix timestamp in the
iat(issued at) claim is in the past. You may also want to check that the token isn't too old (e.g., 5 minutes).Check that the
subclaim is present. This claim contains the customer's Pliro ID.Check that the
sidclaim is present. This claim contains the customer's Pliro session ID.Check that the
eventsclaim include the keyhttp://schemas.openid.net/event/backchannel-logout.Check that there is no
nonceclaim.Check that the token's
typheader is set tologout+jwt.
If any of these checks fail, you should respond with an HTTP 400 status code and not process the logout request.
If the the checks pass you may proceed to end the session corresponding to the Pliro session ID in the sid claim and respond with an HTTP 200 or 204 status code.
If ending the session fails, you should respond with an HTTP 400 status code.
Last updated