OAuth 2.0 RP-Initiated Logout

This article describes how to configure your application to end all active third-party service provider sessions when users end their EmpowerID session and EmpowerID is the identity provider for those third-party service providers.

You can download sample .NET framework code at https://dl1.empowerid.com/files/OAuthTestSampleCode.zip

RP-Initiated Logout

1. Initiate a request to the EmpowerID End Session endpoint, https://<EID Server>/oauth/v2/ui/logout

https://<EID Server>/oauth/v2/ui/logout
?post_logout_redirect_uri=xxxxxxxxxxxxxxxxxx
 &id_token_hint=eyJhbGciOiJSUzyVGE3cG.............ahi-cCrWZfcow
 &global_logout=true
 &state=xxxxxxxxxxxxxxxxxx

Request Parameter	Required/Optional	Description

Request Parameter	Required/Optional	Description
`post_logout_redirect_uri`	recommended	URL the user will be redirected to after logout is performed. This URL should be registered in the Callback URLs on the EmpowerID OAuth application. If not present in the request, after logout the user will be redirected to the IdP login page.
`id_token_hint`	optional	Previously issued ID Token which is used to identify the user’s current authenticated session with the client.
`global_logout`	optional	Determines whether to terminate the user’s IdP session and all the service providers the user is currently authenticated with. Permitted values are, `true` - Terminate both IdP and all active service provider sessions `false` - Terminate only IdP session Defaults to `true` if not present in the request.
`state`	optional	A random string value sent by the client to maintain state. This value will be sent back to the RP in the callback endpoint specified by the `post_logout_redirect_uri` parameter.

2. Based on the global_logout parameter, the user’s IdP and active service provider sessions will be terminated. After successful logout the user will be redirected to the IdP login page or the callback endpoint specified by the post_logout_redirect_uri parameter.

IN THIS ARTICLE