Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( Https ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Logout

Login.gov supports RP-Initiated Logout, allowing clients to log users out of their current Login.gov session and redirect them back to the Relying Party.

Login.gov does not support Single Logout (SLO). The logout action will terminate the user’s session at Login.gov but will not end any other potentially active sessions within service provider applications. For example, if a user signs in to applications A and B through Login.gov, a logout request from A will end their Login.gov session, but will not affect the session in application B.

User experience impact:

As per the OIDC spec, Login.gov will display a Logout confirmation screen to users on logout. Users will need to click a button to complete the logout process. This protects against forged logout request attacks.

If the user does not click the button, they will not be redirected back to your application.

Logout request

To log out a user, send them to the /openid_connect/logout endpoint with the following parameters:

client_id

The unique identifier for the client. This will be registered with the Login.gov IdP in advance.

post_logout_redirect_uri

The URI Login.gov will redirect to after logout. This must also be registered with the Login.gov IdP in advance.

state (optional)

A unique value at least 22 characters in length used for maintaining state between the request and the callback. This value will be returned to the client on a successful logout as a parameter of state added to the redirect back to the post_logout_redirect_uri.

Logout response

In a successful logout, i.e. the request is valid and the user confirms that they want to log out, Login.gov will redirect the user to the provided post_logout_redirect_uri with the state parameter added to the URL. If the request is invalid, the user will be shown an error page. If the user declines to click the button on the confirmation page, they will not be redirected to the post_logout_redirect_uri and there will be no response to your application.

https://idp.int.identitysandbox.gov/openid_connect/logout?
client_id=${CLIENT_ID}&
post_logout_redirect_uri=${REDIRECT_URI}&
state=abcdefghijklmnopabcdefghijklmnop
Edit this page
Return to top