Register a frontchannel_logout_uri for your RP with the OP; when the OP initiates logout, it embeds your URI in an iframe on the logout page and makes a GET request to it.
At your frontchannel_logout_uri endpoint, clear the application session (server-side session store, cookies) using the iss and sid query parameters that the OP appends to identify the specific session to terminate.
Validate the iss parameter to ensure the request is from your expected OP; reject requests from unexpected issuers.
For single-page applications on a different origin than the OP, plan for modern browsers blocking the iframe from accessing your app's cookies and storage due to third-party cookie restrictions; implement a server-rendered endpoint or BFF pattern so session clearing happens server-side.
Test your front-channel logout in Safari and browsers with strict tracking prevention enabled; iframe-based logout is unreliable in these environments and may silently fail.
As a defense-in-depth measure, also implement short access token lifetimes and refresh token introspection so that even if a front-channel logout fails, access is revoked within a bounded window.
Known gotchas
Third-party cookie blocking in modern browsers (Safari ITP, Chrome Privacy Sandbox) renders front-channel logout via iframes unreliable for cross-domain deployments; back-channel logout is the more robust alternative.
The OP embeds the frontchannel_logout_uri in an iframe it controls, not in your application; JavaScript running in your application's page cannot directly detect or participate in this iframe exchange.
If your RP participates in multiple SSO sessions with different users, ensure your logout endpoint uses the sid claim to target only the correct session rather than logging out all active sessions on the server.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp