Implement logout using OIDC
When your client application has completed an OIDC authentication flow where the end user has logged in using a web browser, a user session has been established in the web browser.
If the web browser used by your client application is a standard browser, there may be other applications relying on the same session, and you may be working in a single sign-on (SSO) environment. Applications attached to the same browser session may include other client applications and 10Duke Enterprise tools such as SysAdmin and OrgAdmin.
The end user may start a logout from any of these client applications, or from their profile page provided by the Login Application component, and expect to be logged out from all of them.
To support single logout, your client application needs to be able to start the logout, or log the user out when the logout has been started in another application. See instructions below.
Before you start
Make sure a logout callback URL has been defined for each of the client applications in SysAdmin.
Start the logout from your application
When the end user starts the logout from your client application, navigate the browser to the logout endpoint at https://<your environment base URL>/user/oauth20/signout
.
An example request (line breaks added for display purposes):
https://customer.10duke.net/user/oauth20/signout
?client_id=79w1-6s41-4s7x-8e96-76u986gs1
&RelayState=AnyStateFromClient
Use the base URL of your 10Duke Enterprise environment, and provide an actual value in client_id
. RelayState
is optional and can be anything that the client application wants to get back after logout.
When the user has been logged out, 10Duke Enterprise directs the browser back to the logout callback URL of your application.
An example request:
https://client.example.com/LogoutCallback
?success=true
&RelayState=AnyStateFromClient
The success=true
URL query parameter indicates that logout has been completed successfully. If you provided RelayState
in the request starting the logout, it’s echoed back to you here.
Handle this request as appropriate in your application. Typically this includes cleaning up the user session and displaying a “logout completed” page to the user.
(If 10Duke Enterprise sends this request to the logout callback URL without the success=true
parameter, it means a logout was started from another application. See more below.)
Handle a logout started from another application
When the logout has been started from another application, 10Duke Enterprise sends the browser to the logout callback URL of your application.
An example request (line breaks added for display purposes):
https://client.example.com/LogoutCallback
?RelayState=StateFrom10DukeEnterprise
The request doesn’t have a success
URL query parameter. This is how you know that a logout has been started from another application, and the end user expects to be logged out from all applications, including yours.
The request has a RelayState
URL query parameter. It can contain any value, and your application only needs to pass it forward in the next step.
Handle this request as appropriate in your application. Typically this includes cleaning up the user session and redirecting back to 10Duke Enterprise.
Redirect the browser back to the 10Duke Enterprise logout endpoint at https://<your environment base URL>/user/oauth20/signout
.
An example request:
https://customer.10duke.net/user/oauth20/signout
?RelayState=StateFrom10DukeEnterprise
Use the base URL of your 10Duke Enterprise environment. Return RelayState
exactly as you received it from 10Duke Enterprise, echoing back the same parameter value.
You have now handled your part of the logout process. When the whole logout process has been completed, the user is directed back to the application where the logout was started.