Auth0 implements Connect’s RP-Initiated Logout 1.0 for end-user logout. This standard is part of the OpenID Connect collection of final specifications.

How it works

RP-Initiated Logout is a scenario in which a (user) requests the OpenID provider (Auth0) to log them out.
  1. The user initiates a logout request in your application.
  2. Your application directs the user to the Auth0 Authentication API OIDC Logout endpoint.
  3. Auth0 redirects the user to the appropriate destination based on the provided OIDC Logout endpoint parameters.

Configure RP-Initiated Logout

To configure RP-Initiated Logout, you must ensure that your application can find the end_session_endpoint parameter in your Auth0 tenant’s discovery metadata document, and that it calls the OIDC Logout endpoint with the necessary parameters.

Enable endpoint discovery

For Auth0 tenants created on or after 14 November 2023, RP-Initiated Logout End Session Endpoint Discovery is enabled by default.
You can enable RP-Initiated Logout End Session Endpoint Discovery in the or with the Auth0 .
To enable RP-Initiated Logout End Session Endpoint Discovery in the Dashboard:
  1. Go to Dashboard > Settings > Advanced.
  2. Locate the Login and Logout section.
  3. Enable the RP-Initiated Logout End Session Endpoint Discovery toggle.

logout_hint parameter

The value of the logout_hint parameter must be the session ID (sid) of the user’s current Auth0 session. The session ID (sid) is provided as a registered claim within the ID token that Auth0 issued to the user after they authenticated.
You must use the session ID (sid) associated with the ID token issued by Auth0 at the time the current session began. Auth0 disregards requests with values that are random or do not reflect current session data.
Example
https://{yourDomain}/oidc/logout?{clientId}={yourClientId}&logout_hint={sessionId}

post_logout_redirect_uri parameter

The value of the post_logout_redirect_uri parameter must be a valid, encoded URL that has been registered in the list of Allowed Logout URLs in your:
  1. Application settings: If you provide the id_token_hint parameter, or the logout_hint and client_id parameters.
  2. Tenant settings: If you provide only the logout_hint parameter.
Example
https://{yourDomain}/oidc/logout?post_logout_redirect_uri=http%3A%2F%2Fwww.example.com
Update application Allowed Logout URLs
You can register a URL with your application’s list of Allowed Logout URLs in the Auth0 Dashboard or with the Auth0 Management API.
To register a URL with your application’s list of Allowed Logout URLs in the Dashboard:
  1. Go to Dashboard > Applications > Applications.
  2. Select your application.
  3. Locate the Application URIs section.
  4. Update Allowed Logout URLs following the provided guidelines.
Update tenant Allowed Logout URLs
You can register a URL with your tenant’s list of Allowed Logout URLs in the Auth0 Dashboard or with the Auth0 Management API.
To register a URL with your tenant’s list of Allowed Logout URLs in the Dashboard:
  1. Go to Dashboard > Settings > Advanced.
  2. Locate the Login and Logout section.
  3. Update Allowed Logout URLs following the provided guidelines.
Allowed Logout URLs guidelines
When you update Allowed Logout URLs, follow the guidelines below to avoid validation errors:
  • Separate multiple URL values with a comma (,).
  • Include the URL scheme part (for example, https://).
You may use an asterisk (*) as a wildcard for subdomains (such as https://*.example.com), but we recommend that you do not use wildcards in production environments. For more information, read Subdomain URL Placeholders.
Add query string parameters to post_logout_redirect_uri
The OIDC Logout endpoint parses query string parameters in the URL provided to the post_logout_redirect_uri parameter. You must include these query string parameters in your Allowed Logout URLs, or the logout request may be denied. For example, if you pass https://example.com/logout?myParam=1234 to the post_logout_redirect_uri parameter (encoded as https%3A%2F%2Fexample.com%2Flogout%3FmyParam%3D1234), you must include https://example.com/logout?myParam in your Allowed Logout URLs.

ui_locales parameter

The value of the ui_locales parameter must be a space-delimited list of supported locales. The first value provided in the list must match your tenant’s Default Language setting.

federated parameter

The federated parameter does not require a value. If you include the federated parameter when you call the OIDC Logout endpoint, Auth0 attempts to log the user out of their identity provider. The OIDC standard defines that the logout flow should be interrupted to prompt the user for consent if the OpenID provider cannot verify that the request was made by the user. Auth0 enforces this behavior by displaying a logout consent prompt if it detects any of the following conditions:
  • Neither the id_token_hint nor logout_hint parameters are provided.
  • The ID token’s sid claim does not correspond to the browser session in the request.
  • The value of the logout_hint parameter does not match current session data.
If the user confirms the logout request, Auth0 continues the logout flow. You may disable the logout consent prompt. If you do, Auth0 does not attempt to detect anomalous behavior and accepts logout requests automatically. To disable the logout consent prompt in the Dashboard:
  1. Go to Dashboard > Settings > Advanced.
  2. Disable the Show RP-Initiated Logout End-User Confirmation toggle.

Learn more