All good things must come to an end. After your users have completed what they needed to do on your application, they may require to logout.
Since you have delegated your user authentication to another system, you must, in good conscience, tell your authentication system that the user decided to logout.

Revoking tokens

When a user logout from you application, you must revoke the access_token and refresh_token you have received. Learn more on the Token Revocation guide

Single Logout

Depending on your ecosystem security, you may decide that when a user logs out from one application, she must be logged out across the ecosystem.

Single Logout trigger

Your application must redirect the user to the end_session_endpoint of your Realm. You can learn more on the Logout guide

Responding to Single Logout requests

If a user decides to logout from another application than yours, CYM-Identity will need to notify you that the user wants to logout.
This is done through the FrontChannel Logout Uri configured in your application
CYM-Identity will open an iframe in the user browser on the FrontChannel Logout Uri.
https://my.awesome.app/end_session?
sid=SESSION_ID&
iss=https%3A%2F%2Fopenid.provider%2F
ParameterRequiredDescription
sidNoThe sid which your application has received in the id_token during authentication. You can use this value as an identifier to clean the user session from your backend (in case you allow multiple users to login within the same browser)
issYesThe issuer value of the Realm.
Your application can use the sid to lookup the tokens received and revoke them.