Before ending a user's session, make sure that you have the following information :
- OpenID Provider Metadata (autodiscovery URL) : Your admin can provide you with the URL which lives in
https://${realm.url}/oauth/${realm.name}/.well-known/openid-configuration - An
id_token for the logged in user.
The end_session flow only works for OpenID Connect flows (which generate an id_token)
Before triggering a logout request, make sure to revoke all the access_tokens which have been received by your application
To initiate a logout request, you must redirect the user browser to the OpenID Provider end_session_endpoint
The parameters available are :
| Parameter | Required | Description |
|---|
| id_token_hint | Yes | An id_token previously generated to your application which will allow the Authorization Server (Realm) to end the correct session. |
| post_logout_redirect_uri | Yes | One of the URLs registered by the client. It must be an exact match. If you use a post_logout_redirect_uri which has not been registered, an error will be returned |
| state | No | A string that your app creates which the OpenID Provider will return in the response. It's highly recommended to use a state parameter to protect your application against CSRF attacks |
Example request :
When a Realm receives a logout request, it'll trigger a Single Logout on all applications that a user has logged into in the current community. The user will therefore logout from all Realms within the same community.
If your application must participate in Single Logout and receive the information that a user decided to logout from another application, it must provide the frontchannel_logout_uri during registration
The Realm will trigger the following page load on an iframe :
| Parameter | Required | Description |
|---|
| sid | Yes | A session id (sid) which was previously provided as a claim in the id_token which will allows your application to end the correct session. |
At this time, your application will have to revoke all access_tokens for this session and clean any cookies or session data.
Make sure to whitelist the Community domain on your CSP and X-FRAME-OPTIONS for the Single Logout page
The Authorization Server will logout the user and will redirect the browser back to the specified _post_logout_redirect_uri.