website/docs: Update docs for single logout #17169

PeshekDotDev · 2025-10-01T08:15:05Z

Details

Docs update for single logout

Checklist

Local tests pass (ak test authentik/)
The code has been formatted (make lint-fix)

If an API change has been made

The API schema has been updated (make gen-build)

If changes to the frontend have been made

The code has been formatted (make web)

If applicable

The documentation has been updated
The documentation has been formatted (make docs)

netlify · 2025-10-01T08:15:10Z

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	`b9a96cf`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/68efc4e0825c8a00089e112e

netlify · 2025-10-01T08:15:15Z

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	`b9a96cf`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/68efc4e0e6509500088a4f43
😎 Deploy Preview	https://deploy-preview-17169--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

netlify · 2025-10-01T08:15:47Z

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	`b9a96cf`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/68efc4e0746b8500094531db
😎 Deploy Preview	https://deploy-preview-17169--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

codecov · 2025-10-01T08:20:41Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.97%. Comparing base (b075056) to head (b9a96cf).
⚠️ Report is 50 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17169      +/-   ##
==========================================
+ Coverage   92.68%   92.97%   +0.29%     
==========================================
  Files         868      868              
  Lines       47841    47863      +22     
==========================================
+ Hits        44342    44502     +160     
+ Misses       3499     3361     -138

Flag	Coverage Δ
e2e	`45.27% <ø> (+1.16%)`	⬆️
integration	`23.17% <ø> (-0.01%)`	⬇️
unit	`91.07% <ø> (+0.01%)`	⬆️
unit-migrate	`91.11% <ø> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-actions · 2025-10-01T08:40:31Z

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-b9a96cf791328ae2bfc9c877f62a32661b4c2ee6
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-b9a96cf791328ae2bfc9c877f62a32661b4c2ee6

Afterwards, run the upgrade commands from the latest release notes.

dewi-tik

Absolutely awesome docs. Great job!

website/docs/add-secure-apps/flows-stages/stages/single_logout.md

website/docs/add-secure-apps/providers/saml/saml_single_logout.md

dewi-tik

Absolutely awesome docs. Great job and great features to add.

website/docs/add-secure-apps/flows-stages/stages/user_logout.md

PeshekDotDev · 2025-10-01T11:48:47Z

Absolutely awesome docs. Great job and great features to add.

Thank you Dewi :)

website/docs/add-secure-apps/flows-stages/stages/single_logout.md

website/docs/add-secure-apps/providers/single-logout/index.md

website/docs/add-secure-apps/flows-stages/stages/single_logout.md

website/docs/add-secure-apps/flows-stages/stages/user_logout.md

website/docs/add-secure-apps/providers/oauth2/fontchannel_and_backchannel_logout.mdx

tanberry

Thanks for this awesome documentation to go with your awesome feature, @PeshekDotDev !

I've finished reviewing, so after those and the other editors changes are in LGTM!

website/docs/add-secure-apps/providers/oauth2/fontchannel_and_backchannel_logout.mdx

dominic-r

Great doc, but just a few comments that would need resolution before merging

website/docs/add-secure-apps/flows-stages/stages/user_logout.md

dominic-r · 2025-10-08T01:30:26Z

website/docs/add-secure-apps/flows-stages/stages/user_logout.md

+3. For each logout method with active sessions, the appropriate logout stage is injected:
+    - **iframe logout stage** - Injected at index 1 (immediately after the logout stage) for front-channel iframe logout
+    - **Native logout stage** - Injected at index 2 (after iframe logout, if present) for front-channel native logout
+    - **Back-channel logout** - Executed server-side without injecting additional stages


also i'd probably do

thing: other thing

instead of using -s

not me literally looking for where the -s is...

this looks completed

website/docs/add-secure-apps/providers/oauth2/fontchannel_and_backchannel_logout.mdx

website/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx

website/docs/add-secure-apps/providers/saml/saml_single_logout.md

website/docs/add-secure-apps/providers/single-logout/index.md

dewi-tik · 2025-10-08T10:43:40Z

I like Dominic's suggestions. Added a few notes on a few of them. Once those are merged we can make one final pass and this should be good to go.

dominic-r · 2025-10-15T16:34:24Z

website/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx

+For more information about single logout across all providers, see the [Single Logout (SLO) Overview](../single-logout/index.md).
+
+:::warning
+Your OAuth application (Relying Party) must explicitly support OpenID Connect front-channel logout or back-channel logout to properly handle logout requests. Not all OAuth applications support these features, so compatibility should be verified.


Suggested change

Your OAuth application (Relying Party) must explicitly support OpenID Connect front-channel logout or back-channel logout to properly handle logout requests. Not all OAuth applications support these features, so compatibility should be verified.

Your Relying Party (OAuth application) must explicitly support OpenID Connect front-channel logout or back-channel logout to properly handle logout requests. Not all OAuth applications support these features, so compatibility should be verified.

might be best to introduce the technical element first and then say what it is. but that's my opinion

dominic-r · 2025-10-15T16:35:44Z

website/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx

+
+## Overview
+
+OAuth2/OIDC logout is a security feature defined in the OpenID Connect specification. It allows an OIDC Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session.


We should spell it out and acronym it on first reference in () like:

Suggested change

OAuth2/OIDC logout is a security feature defined in the OpenID Connect specification. It allows an OIDC Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session.

OAuth2/OpenID Connect (OIDC) logout is a security feature defined in the OpenID Connect specification. It allows an OIDC Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session.

dominic-r · 2025-10-15T16:36:24Z

website/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx

+
+## Requirements
+
+Your OAuth application (Relying Party) must:


Suggested change

Your OAuth application (Relying Party) must:

Your Relying Party (OAuth application) must:

Same as above

dominic-r · 2025-10-15T16:37:09Z

website/docs/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout.mdx

+
+### Front-channel logout
+
+With front-channel logout, authentik injects an iframe logout stage into the logout flow. This stage loads the RP's (relying party) front-channel logout URL in a hidden iframe within the user's browser. The logout URL includes session information as query parameters, such as:


Suggested change

With front-channel logout, authentik injects an iframe logout stage into the logout flow. This stage loads the RP's (relying party) front-channel logout URL in a hidden iframe within the user's browser. The logout URL includes session information as query parameters, such as:

With front-channel logout, authentik automatically injects an iframe logout stage into the logout flow. This stage loads the RP's (relying party) front-channel logout URL in a hidden iframe within the user's browser. The logout URL includes session information as query parameters, such as:

Just to make it extra clear I think

dominic-r

An easy LGTM on my side. Looks great!

PeshekDotDev requested a review from a team as a code owner October 1, 2025 08:15

dewi-tik reviewed Oct 1, 2025

View reviewed changes