Logout is the act of terminating an authenticated session when it's no longer needed, thus minimizing the likelihood that unauthorized parties can "take over" the session. This is typically achieved by provisioning a logout option on the user interface you provide to your users. Multiple types of sessions can be created when a user logs in (e.g., local application sessions, Auth0 session, third-party Identity Provider sessions), and you will need to determine which of these sessions need to be terminated when the user clicks any Logout option.
Your logout behavior should make it clear to a user which session(s) are being terminated, and ideally, will display a visual confirmation of logout afterward.
When configuring logout behavior, you'll need to consider:
- Which sessions should be terminated when the user initiates logout?
- What information to provide to users as confirmation of the sessions terminated?
- Where should users be redirected to after logout completes?
- Whether actions taken by the user elsewhere (such as in another application) need to be accounted for to provide a single logout experience?
- How long you want sessions to last in the event that users do not trigger the logout process?
Given the varying types of sessions that can be created whenever a user logs in, there are several types of logout possible. Local application logout ends the session with the application, whereas Auth0 logout terminates the Auth0 session. Federated logout terminates the Auth0 session and also propagates the logout request to a remote, third-party Identity Provider. Global, or Single Logout (SLO), ends the Auth0 session and also sends a logout request/notice to applications relying on the Auth0 session.
The functionality provided by your application, as well as your use of features like SSO, will inform your decision as to what type of logout is required and what visual confirmation you'll need to provide to your users. Regardless of which option you choose, the logout process you implement should make it clear to the user which sessions are being terminated, and also when the logout process has completed.
Where to send users after logout
Once your user logs out, they will be redirected to a specific location of your choosing. This location is specified as the logout redirect URL, and you can define this as a parameter via the Auth0 Dashboard.
The URL(s) you use to redirect users after logging out must be whitelisted in the Dashboard to mitigate open-redirect security vulnerabilities. You can whitelist them at the tenant or application levels.
Automatic termination of sessions
Not all users will trigger the logout process manually, so Auth0 also provides session timeout to prevent overly long-lived sessions. This setting is available and configurable via the Auth0 Dashboard.
To help you with planning your implementation, we've put together some planning guidance that details our recommended strategies.