info@10duke.com

Implement logout using OIDC

When your client application has completed an OIDC authentication flow where the end user has logged in using a web browser, a user session has been established in the web browser. If the web browser used by your client application is a standard browser, there may be other applications relying on the same session, and you may be working in a single sign-on (SSO) environment.

Applications attached to the same browser session may include other client applications as well as 10Duke Enterprise tools such as SysAdmin and OrgAdmin. The end user may start a logout from any of the applications and expect to be logged out from all of them. Your application may need to start the logout, or log the user out when the logout has been started in another application.

Before you start

Make sure a logout callback URL has been defined for each of the client applications in SysAdmin.

Start the logout from your application

When the end user starts the logout from your client application, navigate the browser to the logout endpoint at https://<your environment base URL>/user/oauth20/signout.

An example request:

https://customer.10duke.net/user/oauth20/signout?client_id=79w1-6s41-4s7x-8e96-76u986gs1&RelayState=AnyStateFromClient
  • Use the base URL of your 10Duke Enterprise environment, and provide an actual value in client_id.

  • RelayState is optional and can be anything that the client application wants to get back after logout.

When the user has been logged out, 10Duke Enterprise directs the browser back to the logout callback URL of your application.

An example request:

https://client.example.com/LogoutCallback?success=true&RelayState=AnyStateFromClient
  • The success=true URL query parameter indicates that logout has been completed successfully.

  • If you provided RelayState in the request starting the logout, it’s echoed back to you here.

Handle this request as appropriate in your application. Typically this includes cleaning up the user session and displaying a “logout completed” page to the user.

(If 10Duke Enterprise sends this request to the logout callback URL without the success=true parameter, it means a logout was started from another application. See more below.)

Handle a logout started from another application

When the logout has been started from another application, 10Duke Enterprise sends the browser to the logout callback URL of your application.

An example request:

https://client.example.com/LogoutCallback?RelayState=StateFrom10DukeEnterprise
  • The request doesn’t have a success URL query parameter. This is how you know that a logout has been started from another application, and the end user expects to be logged out from all applications, including yours.

  • The request has a RelayState URL query parameter. It can contain any value, and your application only needs to pass it forward in the next step.

Handle this request as appropriate in your application. Typically this includes cleaning up the user session and redirecting back to 10Duke Enterprise.

Redirect the browser back to the 10Duke Enterprise logout endpoint at https://<your environment base URL>/user/oauth20/signout.

An example request:

https://customer.10duke.net/user/oauth20/signout?RelayState=StateFrom10DukeEnterprise
  • Use the base URL of your 10Duke Enterprise environment.

  • Return RelayState exactly as you received it from 10Duke Enterprise, echoing back the same parameter value.

You have now handled your part of the logout process. When the whole logout process has been completed, the user is directed back to the application where the logout was started.