Logout (end-session) endpoint
1. Purpose
A Connect2id server deployment can have an optional OpenID Connect logout endpoint to
Let a client application (OpenID relying party) notify the Identity Provider (IdP) that an end-user has logged out of the application, and additionally
Give the end-user a choice to log out of the IdP as well.
This endpoint, combined with the simple back and front-channel logout notification protocols, lets an IdP and participating applications implement single logout (or single sign-out):
The end-user chooses to log out when at a participating application.
The application ends the user session and redirects the end-user to this endpoint.
At this endpoint the end-user will typically be presented with a confirmation dialog and asked if they also want to log out of the IdP.
If the end-user chooses to log out of the IdP, the Connect2id server will send back or front-channel logout notifications to all client applications registered for them, so they can perform their own session clean up for the user.
The logout (end-session) endpoint is specified in OpenID Connect RP-Initiated Logout 1.0.
The back-channel notifications are specified in OpenID Connect Back-Channel Logout 1.0, the front-channel in OpenID Connect Front-Channel Logout 1.0.
2. The logout endpoint URL
If a logout endpoint (page) is provided
it is advertised in the end_session_endpoint
server
metadata and may look like this:
https://c2id.com/logout
3. Web API overview
Resources |
---|
Errors |
4. Resources
4.1 [end-session-endpoint]
4.1.1 GET
Sends the end-user to log out of the OpenID provider.
Parameters:
[ id_token_hint ] Previously issued ID token to be used as hint about the end-user's current authenticated session with the client. Note, the ID token expiration (
exp
) can be in the past.The ID token may be encrypted for confidentiality. The ID token encryption can be either to a public encryption RSA or EC JWK published at the server JWKs endpoint, or symmetric if the client is provisioned with a
client_secret
. The symmetric encryption must use an AES key derived from theclient_secret
with thedir
JWE algorithm and a supported JWE method listed in theid_token_encryption_enc_values_supported
server metadataUse of this parameter is recommended.
[ logout_hint ] A hint about the end-user that is logging out, such as the user's email address, telephone number or username. Analogous to the
login_hint
OpenID authentication request parameter. Acceptance and interpretation of this parameter is at the IdP's discretion. Since v12.15.[ client_id ] The client ID. Use of this parameter is recommended. Since v12.15.
[ post_logout_redirect_uri ] URL to which the browser should be redirected after the user interactions at the logout endpoint are completed (regardless of the end-user's choice to log out of the OpenID provider). The URL must be registered in the
post_logout_redirect_uris
parameter for the requesting client. If an ID token hint is not included in the logout request this parameter is ignored.[ state ] Optional state to append to the post logout redirection URL.
[ ui_locales ] The end-user's preferred UI locales as space delimited list, by order of preference, omitted if not specified. Since v12.15.
Success:
Code:
200
Content-Type:
text/html
Body: IdP specific.
Errors:
Example logout request with an ID token hint:
GET /logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ... HTTP/1.1
Host: c2id.com
5. Errors
404 Not Found
The requested resource doesn't exist.
Example:
HTTP/1.1 404 Not Found
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
Example:
HTTP/1.1 500 Internal Server Error