Skip to main content

Sign-out

There are several ways to do the sign-out, as there are so many different detailed requirements for different kind of applications and services.

One way to sign out the user from your OAuth or OpenID client is to just delete all known access tokens and ID tokens for the user.

Relying Party Initiated Logout

If you want to log the user out of the ID server, you can use the RP-initiated logout function. This is implemented according to the OpenID Connect Session Management 1.0 specification. You redirect the user to the logout endpoint (by default, https://{idserver}/openid/logout) with the required and optional query parameters. The user is given the opportunity to log out of the ID server and possibly other services as well. Depending on server configuration, client registration and current circumstances, the user may or may not need to interact with the logout user interface. Finally the user is redirected to the original calling site.

Single Sign Out / Single Logout / SLO

Sign-out on the server side has two options. As you can see, we too use terms sign-out and logout interchangeably as a synonym to the same function.

Front-Channel logout

OpenID Connect Front-Channel Logout 1.0

In your OpenID Connect client registration you can specify a Front-Channel Logout URI. Any user logging out through the RP-initiated logout endpoint will also perform the Front-Channel Logout for all clients he has used.

Back-Channel Logout

OpenID Connect Back-Channel Logout 1.0

In your OpenID Connect client registration you can specify a Back-Channel Logout URI. Any user logging out through the RP-initiated logout endpoint will also perform the Back-Channel Logout for all clients he has used.