All good things must come to an end. After your users have completed what they needed to do on your application, they may require to logout.
Since you have delegated your user authentication to another system, you must, in good conscience, tell your authentication system that the user decided to logout.
When a user logout from you application, you must revoke the
access_token and
refresh_token you have received. Learn more on the
Token Revocation guide
Depending on your ecosystem security, you may decide that when a user logs out from one application, she must be logged out across the ecosystem.
Your application must redirect the user to the
end_session_endpoint of your Realm. You can learn more on the
Logout guide
If a user decides to logout from another application than yours, CYM-Identity will need to notify you that the user wants to logout.
This is done through the FrontChannel Logout Uri configured in your application
CYM-Identity will open an iframe in the user browser on the FrontChannel Logout Uri.
Parameter | Required | Description |
---|
sid | No | The sid which your application has received in the id_token during authentication. You can use this value as an identifier to clean the user session from your backend (in case you allow multiple users to login within the same browser) |
iss | Yes | The issuer value of the Realm. |
Your application can use the sid to lookup the tokens received and revoke them.