Auth0 Home Blog Docs

Logout API does not require id_token

According to OIDC specification then id_token is recommended to be passed when logging users out for security purpose. But the related Auth0 url does not require having it. Anybody knows the reasons behind?

8. Security Considerations

The OP iframe MUST enforce that the caller has the same origin as its parent frame. It MUST reject postMessage requests from any other source origin, to prevent cross-site scripting attacks.

The id_token_hint parameter to a logout request can be used to determine which RP initiated the logout request. Logout requests without a valid id_token_hint value are a potential means of denial of service; therefore, OPs may want to require explicit user confirmation before acting upon them.

That is from the OpenID Connect Session Management specification which at this time is something not supported by the service. There is however logout endpoints that technically even predate the final version of OpenID Connect Core so it is not surprising that those endpoints don’t make use of the ID token hint.

Now, the above is the explanation about it and I’m not implying that not having support for that is intentional and something that will never happen. I would suggest that you give your feedback about this situation through auth0.com/feedback as that goes straight to the product team for review and they would be the best team to review this request.