Overview
Auth0 provides both /v2/logout and /oidc/logout endpoints. This article explains some differences between them and which should be used depending on the use case.
Applies To
- Logout Endpoints
- Open ID Connect (OIDC) Logout
- Alternative Logout
Solution
As of February 2023, a new standard logout endpoint was introduced, OIDC RP-Initiated Logout, available at https://{yourDomain}/oidc/logout. This endpoint enhances security measures over the existing custom logout endpoint found at https://{yourDomain}/v2/logout.
The fundamental differences and advantages of using the OIDC logout are outlined below:
-
Request Parameters and Validation:
- Client ID: The OIDC logout optionally uses the client_id to validate the post-logout URL listed in the Allowed Logout URLs. If the
client_idorid_token_hintis missing, it falls back to the tenant’s allowed list. - Post Logout URL: OIDC logout uses
post_logout_redirect_uri, and if this is left empty, it redirects users to a generic Auth0 landing page. In contrast, V2 logout uses returnTo, and an empty parameter results in an empty HTTP 200 response. - Logout Hints: OIDC logout supports additional parameters like
id_token_hintorlogout_hint, which provide assurance of the legitimacy of the logout request. V2 logout does not support these parameters.
- Client ID: The OIDC logout optionally uses the client_id to validate the post-logout URL listed in the Allowed Logout URLs. If the
-
Allowed Logout URLs: Both endpoints use the same configuration; however, OIDC logout offers extended validation by parsing and validating query parameters in the
post_logout_redirect_uri. -
Federated IdP Logout: Both endpoints support federated logout capabilities.
-
Confirmation Prompt: OIDC logout can include an optional IdP logout confirmation prompt, which is language-localized and customizable. This feature enhances security by ensuring the user confirms the logout action.
-
Endpoint Discovery: The OIDC logout endpoint can be discovered through the tenant’s .well-known public resource, facilitating easier integration and standard compliance. V2 logout does not provide such a discovery option.
-
Request Methods: OIDC logout accepts both GET and POST methods, providing more flexibility in how logout requests can be initiated. In contrast, V2 logout only supports GET requests.