Logout (POST)

POST 
/session/end_session

This API call is used to logout the user or end the user session. Supports both GET and POST methods following OpenID Connect specifications.

How it works:

1. The endpoint accepts either id_token_hint or access_token_hint to identify the session (can be in query params or request body)
2. If a session cookie (cidaas_sso) is present, it can also be used for session identification
3. The session is invalidated and all associated login responses are marked as revoked
4. If configured, backchannel logout notifications are sent to all applications sharing the session
5. The user is redirected to post_logout_redirect_uri if provided and allowed, otherwise to the login page

Backchannel Logout: When a user logs out, cidaas automatically notifies all applications that share the same SSO session via backchannel logout. This is configured in your app settings:

• backchannel_logout_uri: The endpoint in your application that will receive the logout notification
• backchannel_logout_session_required: If set to true, the logout token will include the sid (session ID) claim

The backchannel logout is performed asynchronously via a POST request to your configured backchannel_logout_uri with a logout_token (JWT) containing:

• sub: User subject identifier
• aud: Your application's client ID
• iss: Issuer (cidaas domain)
• sid: Session ID (if backchannel_logout_session_required is enabled)
• events: Contains http://schemas.openid.net/event/backchannel-logout

Request

Responses

200

Success. The user is redirected to post_logout_redirect_uri if provided and allowed, otherwise to the login page. Backchannel logout notifications are sent asynchronously to all configured applications.

Response Headers

Location

Redirect location

400

Bad Request - Invalid parameters or missing required hints