Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: back-channel logout client TLS configuration #760

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions docs/hydra/concepts/logout.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -269,3 +269,33 @@ Because the OpenID Connect Back-Channel Logout Flow isn't executed using the
user-agent (such as Browser) but from Ory Hydra directly, the session cookie of
the end-user won't be available to the OAuth 2.0 Client and the session has to
be invalidated by some other means (for example by blacklisting the session ID).

#### Back-Channel Logout client TLS configuration

Http clients used in Ory Hydra can be configured to use custom `client.default`
TLS configuration. If `client.default` configuration is not specified, then
default Go configuration is used instead. To override `client.default`
configuration for Back-Channel logout client, then `client.back_channel_logout`
can be used to override configuration.

```yaml
client:
default:
min_version: tls12
max_version: tls13
cipher_suites:
- TLS13-CHACHA20-POLY1305-SHA256
- TLS13-AES-256-GCM-SHA384
- TLS13-AES-128-GCM-SHA256
- ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-CHACHA20-POLY1305
back_channel_logout:
min_version: tls13
cipher_suites:
- TLS13-CHACHA20-POLY1305-SHA256
- TLS13-AES-256-GCM-SHA384
- TLS13-AES-128-GCM-SHA256
```