Differences Between OIDC vs V2 Logout

Overview

Auth0 provides both /v2/logout and /oidc/logout endpoints. This article explains some differences between them and which should be used depending on the use case.

Applies To

  • Logout Endpoints
  • Open ID Connect (OIDC) Logout
  • Alternative Logout

Solution

As of February 2023, a new standard logout endpoint was introduced, OIDC RP-Initiated Logout, available at https://{yourDomain}/oidc/logout. This endpoint enhances security measures over the existing custom logout endpoint found at https://{yourDomain}/v2/logout.

The fundamental differences and advantages of using the OIDC logout are outlined below:

  1. Request Parameters and Validation:

    • Client ID: The OIDC logout optionally uses the client_id to validate the post-logout URL listed in the Allowed Logout URLs. If the client_id or id_token_hint is missing, it falls back to the tenant’s allowed list.
    • Post Logout URL: OIDC logout uses post_logout_redirect_uri, and if this is left empty, it redirects users to a generic Auth0 landing page. In contrast, V2 logout uses returnTo, and an empty parameter results in an empty HTTP 200 response.
    • Logout Hints: OIDC logout supports additional parameters like id_token_hint or logout_hint, which provide assurance of the legitimacy of the logout request. V2 logout does not support these parameters.
  2. Allowed Logout URLs: Both endpoints use the same configuration; however, OIDC logout offers extended validation by parsing and validating query parameters in the post_logout_redirect_uri.

  3. Federated IdP Logout: Both endpoints support federated logout capabilities.

  4. Confirmation Prompt: OIDC logout can include an optional IdP logout confirmation prompt, which is language-localized and customizable. This feature enhances security by ensuring the user confirms the logout action.

  5. Endpoint Discovery: The OIDC logout endpoint can be discovered through the tenant’s .well-known public resource, facilitating easier integration and standard compliance. V2 logout does not provide such a discovery option.

  6. Request Methods: OIDC logout accepts both GET and POST methods, providing more flexibility in how logout requests can be initiated. In contrast, V2 logout only supports GET requests.