Logout Endpoint

The HID Authentication Service exposes an end-user logout endpoint, based on the OpenID Connect RP-Initiated Logout 1.0 specification for relying parties.

When the logout request is validated, and the end user's session to be logged out is identified and still active, the:

• Session is terminated

• Related refresh tokens are logged out

• All SSO sessions (typically the same session) are logged out

https://[base-server-url]/{tenant}/authn/logout [POST]

Logout Request

The endpoint supports both GET and POST for the logout request:

GET https://[base-server-url]/{tenant}/authn/logout?post_logout_redirect_uri=https://client.example.org/logout&id_token_hint=eyJraWQiOiItMTQ5NzQxMDcwMSIsIng1dCI6IjU5ai1pSVBzY2ZXUm5ITVFHSEdnb0pEQXIwUSIsImFsZyI6IlJTMjU2In0.eyJleHAiOjE3MTMyOTQ3NjAsIm5iZiI6MTcxMzI5MTE2MCwianRpIjoiODZmYjk3NGQtNzVlZC00Zjk1LThlY2UtYWRiNmY4MmVhZmRmIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi1kZW1vLmN1cml0eS5pby9vYXV0aC92Mi9vYXV0aC1hbm9ueW1vdXMiLCJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJzdWIiOiJob25nIiwiYXV0aF90aW1lIjoxNzEzMjkxMTUwLCJpYXQiOjE3MTMyOTExNjAsInB1cnBvc2UiOiJpZCIsImF0X2hhc2giOiJLVU5mYmM0Vjc2UEFFb0Zucnpqa2tnIiwiYWNyIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjp1c2VybmFtZTp1c2VybmFtZSIsImRlbGVnYXRpb25faWQiOiI2ZTU0ZjUzYS1lNjk5LTRhOWYtOTI2MS0zMjc4ZWNhYjg5NjAiLCJzX2hhc2giOiJNR0NaZkRGaVBtcFdyX2RoTHBSc0l3IiwiYXpwIjoiZGVtby13ZWItY2xpZW50IiwiYW1yIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjp1c2VybmFtZTp1c2VybmFtZSIsIm5vbmNlIjoiNzMxMTM0NzgwMnM0Ny1meGQiLCJzaWQiOiJ2Nlg0RUsxdmJXelhtdmMyIn0.JuR7yL9-JFUC2VwvJa-UjsJIL_83LqVWXYgdt7qQT9m-dtWBSTKP06DCuL-QHfmU_rvCLJ8i3-ORGmSlXiAYD20LLenpUoFrUnLdsDR1OD9pLNdPG8PF24XABs-KN8XKJQt002iwrxvx5v0Xkl8iPsSuA9qYBDOjzw7rkCi-4Zdde5zu7C4_0ebg5ArUBdvQY_d-o0-a5n8WXQtOlk2GVZAt0aDeGaoc3Cjs2uaL2VbuLlQvHJK3FNg0rMxqtNdtNTgcnpCCBmMYB6dIoas0-k10C0lbncIhbjYZj59DbCWLVZJZ5HunG9zUwIv9srRpZzwoxbAOwEDcdMuSq-vhVVO5Yv23wv8Vb9FpIEjgR4MmfIZ96Ji1QBaHy9FNAvD_Nq3GdDjjzp4Z_wV_uPLec2oKwsio1ZJ8LGB07mvxifASgx7276ZgJcG6NQFtB5os598HZBOE_ClzuzwKD8repwJGSsrtL33teJUkPVlnZJyzZAzLeZzkNoztAN9ye24YQo_GXWBWwRAVjFG-DnzjjL8ChvOo5DbWaD3dnUL2Iz5I8XZhFj-oKr4-8X1XGJXTkiNQ4HnWJcJ0VG2hVIoWs45KL3oX5i8wbBS7wj5BzzlyucZ8t9ERMV-hzZ9ZoycU0-_ur_KPWET8BJp8MvDb1Uukz7cfKPxMNkj0vUR6lqc&state=toto

POST https://[base-server-url]/{tenant}/authn/logout HTTP/1.1 
post_logout_redirect_uri=https://client.example.org/logout&id_token_hint=eyJraWQiOiItMTQ5NzQxMDcwMSIsIng1dCI6IjU5ai1pSVBzY2ZXUm5ITVFHSEdnb0pEQXIwUSIsImFsZyI6IlJTMjU2In0.eyJleHAiOjE3MTMyOTQ3NjAsIm5iZiI6MTcxMzI5MTE2MCwianRpIjoiODZmYjk3NGQtNzVlZC00Zjk1LThlY2UtYWRiNmY4MmVhZmRmIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi1kZW1vLmN1cml0eS5pby9vYXV0aC92Mi9vYXV0aC1hbm9ueW1vdXMiLCJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJzdWIiOiJob25nIiwiYXV0aF90aW1lIjoxNzEzMjkxMTUwLCJpYXQiOjE3MTMyOTExNjAsInB1cnBvc2UiOiJpZCIsImF0X2hhc2giOiJLVU5mYmM0Vjc2UEFFb0Zucnpqa2tnIiwiYWNyIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjp1c2VybmFtZTp1c2VybmFtZSIsImRlbGVnYXRpb25faWQiOiI2ZTU0ZjUzYS1lNjk5LTRhOWYtOTI2MS0zMjc4ZWNhYjg5NjAiLCJzX2hhc2giOiJNR0NaZkRGaVBtcFdyX2RoTHBSc0l3IiwiYXpwIjoiZGVtby13ZWItY2xpZW50IiwiYW1yIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjp1c2VybmFtZTp1c2VybmFtZSIsIm5vbmNlIjoiNzMxMTM0NzgwMnM0Ny1meGQiLCJzaWQiOiJ2Nlg0RUsxdmJXelhtdmMyIn0.JuR7yL9-JFUC2VwvJa-UjsJIL_83LqVWXYgdt7qQT9m-dtWBSTKP06DCuL-QHfmU_rvCLJ8i3-ORGmSlXiAYD20LLenpUoFrUnLdsDR1OD9pLNdPG8PF24XABs-KN8XKJQt002iwrxvx5v0Xkl8iPsSuA9qYBDOjzw7rkCi-4Zdde5zu7C4_0ebg5ArUBdvQY_d-o0-a5n8WXQtOlk2GVZAt0aDeGaoc3Cjs2uaL2VbuLlQvHJK3FNg0rMxqtNdtNTgcnpCCBmMYB6dIoas0-k10C0lbncIhbjYZj59DbCWLVZJZ5HunG9zUwIv9srRpZzwoxbAOwEDcdMuSq-vhVVO5Yv23wv8Vb9FpIEjgR4MmfIZ96Ji1QBaHy9FNAvD_Nq3GdDjjzp4Z_wV_uPLec2oKwsio1ZJ8LGB07mvxifASgx7276ZgJcG6NQFtB5os598HZBOE_ClzuzwKD8repwJGSsrtL33teJUkPVlnZJyzZAzLeZzkNoztAN9ye24YQo_GXWBWwRAVjFG-DnzjjL8ChvOo5DbWaD3dnUL2Iz5I8XZhFj-oKr4-8X1XGJXTkiNQ4HnWJcJ0VG2hVIoWs45KL3oX5i8wbBS7wj5BzzlyucZ8t9ERMV-hzZ9ZoycU0-_ur_KPWET8BJp8MvDb1Uukz7cfKPxMNkj0vUR6lqc&state=toto

Where:

• post_logout_redirect_uri - URI to which the end user is redirected once the logout is validated (optional)

  If present, it is checked against the values configured for the OpenID client post_logout_redirect_uris parameter:

  • If configured and no exact match is found, the logout request is rejected

  • If not configured, the values for redirect_uris are checked and, if no exact match is found, the logout request is rejected

• id_token_hint - the id_token obtained by the previous authentication (recommended)

  The id_token should have a "sid" claim allowing to identify the session to be logged out. This parameter should be validated by checking the issuer, audience, and signature. Even if the id_token is marked as expired, logout is always called for the identified session.

• logout_hint - can be the access_token or refresh token obtained by the previous authentication (not recommended)

  Note: It is not recommended using the access_token or refresh token to log out with this endpoint as it can be intercepted by an attacker.

• client_id - ID of the OpenID client from the bearer (optional)

  • If the id_token is encrypted, the client_id is required

  • If the client_id is present but it does not match that in the logout_hint or id_login_hint, an error is returned

  • If it is missing, it can be obtained from the session

  • If no session information is available, an error is returned

• state - an opaque value used to maintain the state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter (optional)

  If it is included in the logout request, the HID Authentication Service passes this value to the IdP using the state parameter when redirecting the user back to the IdP.

• ui_locales - space-separated list of language tag values, ordered by preference, to define the end user's preferred languages and scripts for the user interface (optional)

  If present, it will be forwarded to the IdP via the post_logout_redirect_uri parameter.

For further details, see OpenID RP logout parameters.

Logout Response

The server responds with an HTTP 302 status when the user is redirected to the logout URI:

HTTP 302 Found
location: https://client.example.org/logout&id_token_hint=eyJraWQiOiItMTQ5NzQxMDcwMSIsIng1dCI6IjU5ai1pSVBzY2ZXUm5ITVFHSEdnb0pEQXIwUSIsImFsZyI6IlJTMjU2In0.eyJleHAiOjE3MTMyOTQ3NjAsIm5iZiI6MTcxMzI5MTE2MCwianRpIjoiODZmYjk3NGQtNzVlZC00Zjk1LThlY2UtYWRiNmY4MmVhZmRmIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi1kZW1vLmN1cml0eS5pby9vYXV0aC92Mi9vYXV0aC1hbm9ueW1vdXMiLCJhdWQiOiJkZW1vLXdlYi1jbGllbnQiLCJzdWIiOiJob25nIiwiYXV0aF90aW1lIjoxNzEzMjkxMTUwLCJpYXQiOjE3MTMyOTExNjAsInB1cnBvc2UiOiJpZCIsImF0X2hhc2giOiJLVU5mYmM0Vjc2UEFFb0Zucnpqa2tnIiwiYWNyIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjp1c2VybmFtZTp1c2VybmFtZSIsImRlbGVnYXRpb25faWQiOiI2ZTU0ZjUzYS1lNjk5LTRhOWYtOTI2MS0zMjc4ZWNhYjg5NjAiLCJzX2hhc2giOiJNR0NaZkRGaVBtcFdyX2RoTHBSc0l3IiwiYXpwIjoiZGVtby13ZWItY2xpZW50IiwiYW1yIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjp1c2VybmFtZTp1c2VybmFtZSIsIm5vbmNlIjoiNzMxMTM0NzgwMnM0Ny1meGQiLCJzaWQiOiJ2Nlg0RUsxdmJXelhtdmMyIn0.JuR7yL9-JFUC2VwvJa-UjsJIL_83LqVWXYgdt7qQT9m-dtWBSTKP06DCuL-QHfmU_rvCLJ8i3-ORGmSlXiAYD20LLenpUoFrUnLdsDR1OD9pLNdPG8PF24XABs-KN8XKJQt002iwrxvx5v0Xkl8iPsSuA9qYBDOjzw7rkCi-4Zdde5zu7C4_0ebg5ArUBdvQY_d-o0-a5n8WXQtOlk2GVZAt0aDeGaoc3Cjs2uaL2VbuLlQvHJK3FNg0rMxqtNdtNTgcnpCCBmMYB6dIoas0-k10C0lbncIhbjYZj59DbCWLVZJZ5HunG9zUwIv9srRpZzwoxbAOwEDcdMuSq-vhVVO5Yv23wv8Vb9FpIEjgR4MmfIZ96Ji1QBaHy9FNAvD_Nq3GdDjjzp4Z_wV_uPLec2oKwsio1ZJ8LGB07mvxifASgx7276ZgJcG6NQFtB5os598HZBOE_ClzuzwKD8repwJGSsrtL33teJUkPVlnZJyzZAzLeZzkNoztAN9ye24YQo_GXWBWwRAVjFG-DnzjjL8ChvOo5DbWaD3dnUL2Iz5I8XZhFj-oKr4-8X1XGJXTkiNQ4HnWJcJ0VG2hVIoWs45KL3oX5i8wbBS7wj5BzzlyucZ8t9ERMV-hzZ9ZoycU0-_ur_KPWET8BJp8MvDb1Uukz7cfKPxMNkj0vUR6lqc&state=toto

Error/Failure Responses

HTTP/1.1 200 OK
Date=Mon, 27 May 2024 11:35:52 GMT
Content-Type=text/html;charset=UTF-8
Content-Length=39
Connection=keep-alive
Cache-Control=no-cache,no-store,max-age=0,must-revalidate,private
X-XSS-Protection=1; mode=block
Pragma=no-cache
X-FRAME-OPTIONS=DENY
X-Content-Type-Options=nosniff
Strict-Transport-Security=max-age=16070400; includeSubDomains
Invalid_request : id_token_hint missing