Logout (end-session) endpoint

1. Purpose

A Connect2id server deployment can have an optional OpenID Connect logout endpoint to

• Let a client application (OpenID relying party) notify the Identity Provider (IdP) that an end-user has logged out of the application, and additionally

• Give the end-user a choice to log out of the IdP as well.

This endpoint, combined with the simple back and front-channel logout notification protocols, lets an IdP and participating applications implement single logout (or single sign-out):

• The end-user chooses to log out when at a participating application.

• The application ends the user session and redirects the end-user to this endpoint.

• At this endpoint the end-user will typically be presented with a confirmation dialog and asked if they also want to log out of the IdP.

• If the end-user chooses to log out of the IdP, the Connect2id server will send back or front-channel logout notifications to all client applications registered for them, so they can perform their own session clean up for the user.

The logout (end-session) endpoint is specified in OpenID Connect RP-Initiated Logout 1.0.

The back-channel notifications are specified in OpenID Connect Back-Channel Logout 1.0, the front-channel in OpenID Connect Front-Channel Logout 1.0.

2. The logout endpoint URL

If a logout endpoint (page) is provided it is advertised in the end_session_endpoint server metadata and may look like this:

https://c2id.com/logout

3. Web API overview

Resources
[end-session-endpoint] [GET]
Errors
404 Not Found 500 Internal Server Error

4. Resources

4.1 [end-session-endpoint]

4.1.1 GET

Sends the end-user to log out of the OpenID provider.

Parameters:

• [ id_token_hint ] Previously issued ID token to be used as hint about the end-user's current authenticated session with the client. Note, the ID token expiration (exp) can be in the past.

  The ID token may be encrypted for confidentiality. The ID token encryption can be either to a public encryption RSA or EC JWK published at the server JWKs endpoint, or symmetric if the client is provisioned with a client_secret. The symmetric encryption must use an AES key derived from the client_secret with the dir JWE algorithm and a supported JWE method listed in the id_token_encryption_enc_values_supported server metadata

  Use of this parameter is recommended.

• [ logout_hint ] A hint about the end-user that is logging out, such as the user's email address, telephone number or username. Analogous to the login_hint OpenID authentication request parameter. Acceptance and interpretation of this parameter is at the IdP's discretion. Since v12.15.

• [ client_id ] The client ID. Use of this parameter is recommended. Since v12.15.

• [ post_logout_redirect_uri ] URL to which the browser should be redirected after the user interactions at the logout endpoint are completed (regardless of the end-user's choice to log out of the OpenID provider). The URL must be registered in the post_logout_redirect_uris parameter for the requesting client. If an ID token hint is not included in the logout request this parameter is ignored.

• [ state ] Optional state to append to the post logout redirection URL.

• [ ui_locales ] The end-user's preferred UI locales as space delimited list, by order of preference, omitted if not specified. Since v12.15.

Success:

• Code: 200

• Content-Type: text/html

• Body: IdP specific.

Errors:

• 404 Not Found
• 500 Internal Server Error

Example logout request with an ID token hint:

GET /logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ... HTTP/1.1
Host: c2id.com

5. Errors

404 Not Found

The requested resource doesn't exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error