Log Users Out of Identity Providers
Some providers allow you to force a user to log out of their identity provider. Auth0 often accomplishes this by adding the federated
query string parameter to the redirect at the /oidc/logout
endpoint.
To do this, add a federated
query string parameter to the logout URL:
https://{yourDomain}/oidc/logout?federated
Federated logout support
The following identity providers support federated logout:
Evernote
Facebook
Fitbit
GitHub
Google
Apps
OAuth 2.0
Microsoft
Active Directory Federation Services
Office 365
Windows Azure Active Directory
Windows Live
Salesforce/Salesforce Sandbox
X
Yahoo
Yammer
Clear application session
The Auth0 Logout endpoint logs you out from Auth0 and, optionally, from your identity provider. It does not log you out of your application! This is something that you must implement on your side. You need to log out the user from your application by clearing their session.
Alternative logout
To add federated logout to the alternative logout endpoint, add the federated
query string parameter to the logout URL:
https://{yourDomain}/v2/logout?federated
Alternative logout limitations
No validation is performed on any URL provided as a value to the
returnTo
parameter, nor any query string or hash information provided as part of the URL.The behavior of federated logouts with social providers is inconsistent. Each provider will handle the returnTo parameter differently and for some, it will not work. Please check your social provider's settings to determine how it will behave.
If you are working with social identity providers such as Google or Facebook, you must set your Client ID and Secret for these providers in the Dashboard for the logout to function properly.
If you are an Auth0 Enterprise user, you will typically have SSO enabled for multiple applications, for example, SharePoint, a few .NET applications, a few Java applications, Zendesk, etc. In this case, it's very common that when users sign out, this needs to happen for all of their applications.