From 0c022fa2faa292bbb6e7f159e8821c31424bbdef Mon Sep 17 00:00:00 2001 From: Mart Aarma Date: Thu, 14 Apr 2022 11:13:24 +0300 Subject: [PATCH] docs: back-channel logout client TLS configuration --- docs/hydra/concepts/logout.mdx | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/hydra/concepts/logout.mdx b/docs/hydra/concepts/logout.mdx index 471060f38..acee81e90 100644 --- a/docs/hydra/concepts/logout.mdx +++ b/docs/hydra/concepts/logout.mdx @@ -269,3 +269,33 @@ Because the OpenID Connect Back-Channel Logout Flow isn't executed using the user-agent (such as Browser) but from Ory Hydra directly, the session cookie of the end-user won't be available to the OAuth 2.0 Client and the session has to be invalidated by some other means (for example by blacklisting the session ID). + +#### Back-Channel Logout client TLS configuration + +Http clients used in Ory Hydra can be configured to use custom `client.default` +TLS configuration. If `client.default` configuration is not specified, then +default Go configuration is used instead. To override `client.default` +configuration for Back-Channel logout client, then `client.back_channel_logout` +can be used to override configuration. + +```yaml +client: + default: + min_version: tls12 + max_version: tls13 + cipher_suites: + - TLS13-CHACHA20-POLY1305-SHA256 + - TLS13-AES-256-GCM-SHA384 + - TLS13-AES-128-GCM-SHA256 + - ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-CHACHA20-POLY1305 + back_channel_logout: + min_version: tls13 + cipher_suites: + - TLS13-CHACHA20-POLY1305-SHA256 + - TLS13-AES-256-GCM-SHA384 + - TLS13-AES-128-GCM-SHA256 +```