RP-Initiated Logout in Identify OIDC
Overview
The Identity OIDC server supports RP-Initiated Logout. This allows a Relying Party (RP) - typically an application - to initiate a logout request and redirect the user to the Identity Provider (IdP) to terminate the session. The logout endpoint supports both GET and POST HTTP methods:
https://<your-identity-server>/runtime/openidconnect/logout.idp
Supported request parameters:
| Parameter | Required | Description |
|---|---|---|
client_id |
Optional | The application's client ID. |
id_token_hint |
Optional | A previously issued ID Token for the current session, used to identify the user. |
post_logout_redirect_uri |
Optional | The URL to redirect the user to after logout. Must be pre-registered with the client. |
state |
Optional | A value to maintain state between the logout request and the callback. Returned in the response. |
Example:
GET /runtime/openidconnect/logout.idp?id_token_hint=eyJhbGci...&post_logout_redirect_uri=https://app.example.com/logout/callback&state=abc123
Handling of parameters in the logout request
The OpenID Connect RP-Initiated Logout 1.0 specification defines several parameters that can be included in a logout request to the OP (Safewhere Identify), but none are strictly required by the specification itself. However, for security reasons, Identify must be able to determine which application initiated the logout request and which login session to terminate. Therefore, Identify requires that the request includes at least one of the following parameters: id_token_hint, client_id, or post_logout_redirect_uri. If all of these parameters are missing, Identify will return an invalid_request error response with the following message:
For security reasons, an OIDC RP-initiated logout request must include at least one of the following parameters: id_token_hint, client_id or post_logout_redirect_uri. This ensures that Identify can determine which application initiated the logout request.
According to the specification, if the id_token_hint is not provided, Identify will, by default, prompt the user to confirm the logout. To bypass this confirmation page, you can enable the setting Do not prompt the user when logging out without an ID token hint.
Note: This setting only affects the logout confirmation screen. It does not disable validation of the
id_token_hintif it is included in the request. Ifid_token_hintis present, it will be used to validate theclient_idandpost_logout_redirect_uriparameters. These must match if provided.
Post-Logout Redirect
The logout request may include a post_logout_redirect_uri parameter, which is handled as follows:
- If the
id_token_hintorclient_idparameter exists (both can be present), they are used to identify the client application registered in Identify. Thepost_logout_redirect_uriparameter must match the configured OpenID Connect logout redirect URL setting for that client. - If neither
id_token_hintnorclient_idis present, butpost_logout_redirect_uriis provided, Identify attempts to match it to the configured OpenID Connect logout redirect URL of a registered client to identify the application.
In both cases, for a successful logout, the OpenID Connect logout redirect URL configured in the OIDC client settings is used to redirect the user back to the client application.
A typical successful logout flow is:
- The OIDC client application sends a logout request with valid parameters.
- Identify ends the user's session for the client application, identified using one of the following:
client_id,id_token_hint, orpost_logout_redirect_uri. - The user is redirected to the OpenID Connect logout redirect URL registered in the OIDC client settings.
- If the
stateparameter was included in the original request, it is also included in the redirect.