Connect2id server 6.8 adds logout endpoint support

Posted 2017-06-09

The long anticipated web API for binding a sign out page to the Connect2id server is now here. A user who has ended their session with an OpenID Connect client app can be sent to that endpoint to be given the choice to also log out of the OpenID provider.

The logout endpoint complies with the OpenID Connect session management spec:

  • If you choose to provide a logout page, its URL will be advertised in the end_session_endpoint OpenID provider metadata parameter.

  • To prevent unwanted logouts from the OpenID provider, the user is required to confirm the action. A simple dialogue is sufficient.

  • The id_token_hint parameter is supported so that the OpenID provider can link the end-session event to a particular client app. The ID token hint is also needed if the user has multiple accounts (identities) with the IdP. Use of the ID token hint is therefore recommended.

  • The post_logout_redirect_uri parameter can be used to redirect the browser back to the client app or some other destination after logout. An optional state parameter helps pass additional data to the destination URL. Note that in order to make use of post-logout redirection the client must have registered the possible URLs, and an ID token hint must also be supplied.

Check out the following docs if you want make use of the new logout endpoint:


To download a ZIP package of Connect2id server 6.8:

(SHA-256: 77b4413abc3319b764783735622dc876b1eb7ff8044ab2506e75ecc6e2f606ad)

As WAR package only:

(SHA-256: efb3de0da3221da122c6aae9129c04e0d0ae9b7862089306c5c50b3ab1dad4dd)


Get in touch with Connect2id support.

Release notes

6.8 (2017-06-09)


  • Adds support for implementing an OpenID provider end-session endpoint and logout page, as specified in section 5 of OpenID Connect Session Management 1.0, draft 28.


  • /WEB-INF/

    • op.logout.endpoint — New configuration setting for the OpenID Connect Logout (end-session) endpoint of the Connect2id server. Must be set to the URL of the OpenID provider logout page (hosted separately from the Connect2id server). The URL schema should be https. If not specified the endpoint will be disabled and not advertised in the OpenID provider metadata.

    • op.logout.apiAccessToken — New configuration setting for the access token for the logout session endpoint. The token is of type Bearer and must contain at least 32 random alphanumeric characters to make brute force guessing impractical.

    • op.logout.sessionLifetime — New configuration setting for the logout session lifetime, in minutes.


  • /logout-sessions/rest/v1

    • Adds new integration API for implementing an OpenID provider end-session endpoint and logout page. The API exposes a simple session-like flow to let the login page process Relying-Party-initiated requests, display a confirmation dialog whether the user also wants to log out of the OpenID provider, and optionally to perform a post logout redirect to a URI registered by the Relying Party.


  • None


  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.27

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.38

comments powered by Disqus