Logout (End Session) Endpoint
Overview
The End Session Endpoint allows relying parties (RPs) to sign the user out of the Identity Provider (IdP) and, optionally, to perform Single Logout (SLO) across multiple clients.
The RP can redirect the user’s browser to this endpoint to terminate the IdP session. The IdP will then clear its authentication state and optionally redirect the user back to a specified post-logout URL.
Endpoint
The endpoint is advertised in the end_session_endpoint in the metadata exposed by the discovery endpoint and typically is:
GET https://[BASE_URL]/connect/endsession
Parameters
| Parameter | Required | Description |
|---|---|---|
id_token_hint |
Recommended | The ID Token previously issued by the IdP. Helps the IdP identify the RP and user session to sign out. |
post_logout_redirect_uri |
Optional | URL to which the IdP should redirect the user after logout. Must be pre-registered with the IdP. |
state |
Optional | Opaque value used by the RP to maintain state between the logout request and response. Returned to the RP in the redirect. |
Usage
-
Obtain id_token_hint:
When the RP authenticates the user via the Authorization Endpoint, it receives an ID Token. This token is typically passed as theid_token_hintwhen initiating logout. -
Redirect the User to Logout Endpoint:
Example redirect:
https://idp.example.com/logout?id_token_hint=eyJhbGciOi...&
post_logout_redirect_uri=https%3A%2F%2Frp.example.com%2Flogout%2Fcallback&
state=abc123- IdP Terminates Session:
- The IdP clears its authentication session.
- If
post_logout_redirect_uriis provided and valid, the IdP redirects the user’s browser to that URI. - The
stateparameter (if provided) is appended to the redirect.
- RP Handles Post-Logout Redirect:
- The RP should validate the
statevalue if it was sent. - Example redirect URL received by the RP:
https://rp.example.com/logout/callback?state=abc123Security Considerations
post_logout_redirect_urimust be registered with the IdP to prevent open redirect attacks.- Passing
id_token_hinthelps ensure logout applies to the correct user and RP session. - The RP should clean up its own local session in addition to triggering IdP logout.
Related Endpoints
- Check Session iframe – To monitor session status before logout is needed.
- Authorization Endpoint – Provides the ID Token used as
id_token_hint.