The logout endpoint is used by client application to end user session at Identity Server. The client application sends request the Identity Server to logout the user session by redirecting the user to the Identity Server's logout endpoint via browser agent. This way of initiating logout is called Relying Party (RP) Initiated Logout.
Endpoint URL: https://idpbaseurl.com/nidp/oauth/v1/nam/end_session
Request method: HTTP GET and POST
To initiate logout at Identity Server, the client application should invoke a GET or a POST request to Identity Server's logout endpoint with the following request query string parameters:
|
Parameter |
Required |
Description |
|---|---|---|
|
id_token_hint |
No |
A valid ID token that was issued by the Identity Server for the user. |
|
post_logout_redirect_uri |
No |
The redirect URI where the user is redirected after the logout by the Identity Server. This URI must match with the value provided at the time of client registration. The id_token_hint parameter is required to redirect the user to this URI. If the logout request is sent without id_token_hint, the user will not be redirected to the post_logout_redirect_uri. |
|
state |
No |
An optional value. The same value is returned as a query parameter when the user is redirected to the post_logout_redirect_uri. |
NOTE:
If the user session is logged out or expired at Identity Server when the logout request is received, the logout is considered to have succeeded.
When the logout request does not contain post_logout_redirect_uri, the user is redirected to the Identity Provider’s logout success page.
If the registered post_logout_redirect_uri is specified in the logout request, the user will be redirected to the post_logout_redirect_uri.
If the logout request contains the id_token_hint parameter, and its value is a valid ID token, but the token has expired, and the subject matches the current user session. In that case, the user session will be logged out at Identity Server.
Identity Server renders one or more <iframe src="frontchannel_logout_uri"> in the logout success page with the registered logout URI as the source to trigger the logout actions by the client application(s). Upon receiving a request to render the logout URI in an iframe, the client application should clear the state associated with the logged-in user session, including any cookies
Identity Server might include the following query parameters to frontchannel_logout_uri for the client application that are registered with Enable Session Token UI option. If the client is registered using REST API, refer to Registration Endpoint.
|
Parameter |
Required |
Description |
|---|---|---|
|
iss |
No |
Issuer Identifier for the Identity Server issuing the front-channel logout request. |
|
sid |
No |
Unique String identifier for a user session. The client application can use this parameter to identify the unique user sessions established at Identity Server. |
The client application must verify the iss and sid parameters with iss and sid claims in idtoken issued for the current user session.
The client application redirects the user to the Identity Server logout endpoint via browser agent without post_logout_redirect_uri. After a successful logout, the user is redirected to the Identity Server's logout success page.
Sample redirected logout URL without any request parameter:
https://idpbaseurl.com/nidp/oauth/v1/nam/end_session
The client application redirects the user to the Identity Server logout endpoint via browser agent with post_logout_redirect_uri. After a successful logout, the user is redirected to the registered post_logout_redirect_uri.
Sample redirected logout URL with request parameter:
https://idpbaseurl.com/nidp/oauth/v1/nam/end_session?id_token_hint={id_token}&post_logout_redirect_uri={post_logout_redirect_uri}&state={state}
Request: https://idpbaseurl.com/nidp/oauth/v1/nam/end_session?id_token_hint=eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiw…..& post_logout_redirect_uri=https://client.example.org/logoutRedirect& state=JaysvoMyK71YfVG5
Response: HTTP 302 Found
Location: The user will be redirect to the https://client.example.org/logoutRequest&state=JaysvoMyK71YfVG5 URI
If the parameter id_token_hint contains either an invalid or encrypted ID Token, the HTTP 401 error response is returned with the Invalid ID Token error message.
When the post_logout_redirect_uri parameter value does not match the registered client application, the HTTP 401 error response is returned.