Logout
1. Purpose
The Connect2id server can have an optional logout endpoint to
-
Let a client application (relying party) notify the Identity Provider (IdP) that an end-user has logged out of the application, and additionally
-
Give the end-user a choice to log out of the IdP as well. To prevent unwanted logouts the end-user will be asked to confirm the action.
If the requesting client has registered a post logout redirection URI, the Connect2id server will redirect the browser to it after the logout confirmation dialog.
If a logout endpoint (page) is provided to client applications its URL is advertised in the OpenID provider metadata.
Client applications initiating the logout request are encouraged to include the
user’s ID token as parameter (id_token_hint
) so that the Connect2id server
can identify the caller.
https://c2id.com/logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ...
Client applications can also request the end-user to be redirected to some URI
(post_logout_redirect_uri
) after the logout dialog, regardless of the
end-user’s choice to log out from the IdP. An optional state
parameter may be
passed. The redirection will work only if the client has previously
registered the possible post logout URIs and includes a
valid ID token hint for the logged out end-user.
https://c2id.com/logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ...
&post_logout_redirect_uri=https://client.example.com/logout
&state=aSh9Ohqu
The logout (end-session) endpoint is specified in OpenID Connect Session Management 1.0.
2. Web API overview
Resources |
---|
Errors |
3. Resources
3.1 [end-session-endpoint]
3.1.1 GET
Sends the end-user to log out of the OpenID provider.
Parameters:
-
[ id_token_hint ] Previously issued ID token to be used as hint about the end-user’s current authenticated session with the client. Use of this parameter is recommended.
-
[ post_logout_redirect_uri ] URL to which the browser should be redirected after the logout dialog (regardless of the end-user’s choice to log out of the OpenID provider). The URL must be registered in the
post_logout_redirect_uris
parameter for the requesting client. If an ID token hint is not included in the logout request the redirection parameter will be ignored. -
[ state ] Optional state to append to the post logout redirection URL.
Success:
-
Code:
200
-
Content-Type:
text/html
-
Body: A confirmation dialog whether the end-user agrees to log out of the OpenID provider.
Errors:
Example simple logout request:
GET /logout HTTP/1.1
Host: c2id.com
Example logout request with an ID token hint:
GET /logout?id_token_hint=eyJraWQiOiJhb2N0IiwiYWxnIjoiUlMyNTYifQ... HTTP/1.1
Host: c2id.com
4. Errors
404 Not Found
The requested resource doesn’t exist.
Example:
HTTP/1.1 404 Not Found
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
Example:
HTTP/1.1 500 Internal Server Error