Logout (end-session) endpoint

1. Purpose

The Connect2id server can have an optional logout endpoint to

  • Let a client application (relying party) notify the Identity Provider (IdP) that an end-user has logged out of the application, and additionally

  • Give the end-user a choice to log out of the IdP as well. To prevent unwanted logouts the end-user will be asked to confirm the action.

If a logout endpoint (page) is provided to client applications its URL is advertised in the OpenID provider metadata.

Client applications initiating the logout request are encouraged to include the user’s ID token as parameter (id_token_hint) so that the Connect2id server can identify the caller.

https://c2id.com/logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ...

Client applications can also request the end-user to be redirected to some URI (post_logout_redirect_uri) after the logout dialog, regardless of the end-user’s choice to log out from the IdP. An optional state parameter may be passed. The redirection will work only if the client has previously registered the possible post logout URIs and includes a valid ID token hint for the logged out end-user.

https://c2id.com/logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ...
    &post_logout_redirect_uri=https://client.example.com/logout
    &state=aSh9Ohqu

The logout (end-session) endpoint is specified in OpenID Connect Session Management 1.0.

2. Web API overview

Resources
Errors

3. Resources

3.1 [end-session-endpoint]

3.1.1 GET

Sends the end-user to log out of the OpenID provider.

Parameters:

  • [ id_token_hint ] Previously issued ID token to be used as hint about the end-user’s current authenticated session with the client. Use of this parameter is recommended.

  • [ post_logout_redirect_uri ] URL to which the browser should be redirected after the logout dialog (regardless of the end-user’s choice to log out of the OpenID provider). The URL must be registered in the post_logout_redirect_uris parameter for the requesting client. If an ID token hint is not included in the logout request the redirection parameter will be ignored.

  • [ state ] Optional state to append to the post logout redirection URL.

Success:

  • Code: 200

  • Content-Type: text/html

  • Body: A confirmation dialog whether the end-user agrees to log out of the OpenID provider.

Errors:

Example simple logout request:

GET /logout HTTP/1.1
Host: c2id.com

Example logout request with an ID token hint:

GET /logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ... HTTP/1.1
Host: c2id.com

4. Errors

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error