Handle OIDC back-channel notification

The URL registered in Authway for back-channel notification when a user signs out will receive an HTTP POST with a logout token (JWT). This JWT token must be correctly validated by checking at least these requirements:

1. The token is signed by the keys published by Authway (can be found through metadata).
2. The issuer should be the Authway instance (exact value for issuer is also available in metadata).
3. The audience should be the client id of the application receiving the notification.
4. A sub claim that uniquely identifies the user should be present.
5. A sid claim should be present if the application settings is to include session index.
6. A nonce claim should be present.
7. A events claim should be present and it should contain a http://schemas.openid.net/event/backchannel-logout event.

By using the sub claim and optionally the sid the application should invalidate the user session. How this is done will differ depending on platform/application.

.NET Sample

A sample for .NET can be found here.