When a customer signs out of Pliro by clicking the sign out button on their account page, you may also want to sign them out of your website. This can be done using the OpenID Connect Back-Channel Logout mechanism:

If you register a back-channel logout URI for your OAuth application in the Pliro dashboard, Pliro will notify your website using an HTTP POST request when one of your customers sign out:

POST /backchannel_logout HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

logout_token=example-logout-token

To prevent abuse and to communicate which customer to sign out, the request includes a logout_token containing information about the customer in the form of a JSON Web Token. Before signing a customer out of your website you must decode and verify the logout token using the following steps:

1. Decode the logout token (e.g., using one of the many existing JWT libraries) and verify its signature using Pliro's signing keys.

2. Check that the iss claim is equal to your Pliro page URL (e.g., https://example-publication.plirotest.page.

3. Check that the aud claim is equal to your OAuth application's client ID.

4. Check that the Unix timestamp in the iat (issued at) claim is in the past. You may also want to check that the token isn't too old (e.g., 5 minutes).

5. Check that the sub claim is present. This claim contains the customer's Pliro ID.

6. Check that the sid claim is present. This claim contains the customer's Pliro session ID.

7. Check that the events claim include the key http://schemas.openid.net/event/backchannel-logout.

8. Check that there is no nonce claim.

9. Check that the token's typ header is set to logout+jwt.

If any of these checks fail, you should respond with an HTTP 400 status code and not process the logout request.

If the the checks pass you may proceed to end the session corresponding to the Pliro session ID in the sid claim and respond with an HTTP 200 or 204 status code.

If ending the session fails, you should respond with an HTTP 400 status code.