OIDC Back-Channel Logout Initiators
OIDC Back-Channel Logout Initiators allow you to remotely log out users from their applications based on session termination events. OIDC Back-Channel Logout Initiators work across protocols—for example, an identity provider-initiated (IdP-initiated) SAML logout request—and are unaffected by third-party cookie restrictions.
This feature is an extension to the standard OIDC back-channel specification. You can configure it to initiate an OIDC Back-Channel Logout request for specific session termination events, such as a password change or session expiration, or for all session termination events.
Administrators can enable this feature for specific applications with the Auth0 Management API.
How OIDC Back-Channel Logout Initiators work
Initiators bind an OIDC Back-Channel Logout response to a session termination event. They capture the event and use it to trigger an OIDC logout token in all applications associated with the given session.
The following diagram illustrates how an OIDC Back-Channel Logout Initiator works for a password change event:

Configure OIDC Back-Channel Logout Initiators
You can configure OIDC Back-Channel Logout Initiators with the Auth0 Management API.
Management API
You can configure the OIDC Back-Channel Logout Initiators for an application with the Management API by using the Update a Client endpoint.
Get an Management API access token with the
update:clients
scope.Call the Update a Client endpoint with the appropriate configuration data in the payload. For example, to log out an application after a password change event, provide the following:
to configure this snippet with your accountPATCH /api/v2/clients/{yourClientId} { ... "oidc_logout": { "backchannel_logout_urls": ["https://example.com/cb"] "backchannel_logout_initiators": { "mode":"custom", "selected_initiators": ["rp-logout", "idp-logout", "password-changed"] } } ... }
Was this helpful?
/
Properties
The backchannel_logout_initiators
object supports the following properties:
Property | Type | Required? | Description | Supported values |
---|---|---|---|---|
mode |
string | Required | Configuration method for enabling initiators. | custom , all |
selected_initiators |
array | Required if mode is custom |
List of initiators to enable. | rp-logout , idp-logout , password-changed , session-expired |
mode property
The mode
property determines the configuration method for enabling initiators.
By default, it is set to custom
, which allows you to specify which initiators you want to enable. If you want your application to logout anytime the IdP session ends, set it to all
.
The mode
property supports the following values:
Value | Description |
---|---|
custom |
Enables only the initiators listed in the selected_initiators array. |
all |
Automatically enables all current and future initiators. |
selected_initiators property
The selected_initiators
property contains the list of initiators to be enabled for the given application.
The selected_initiators
property supports the following values:
Value | Description |
---|---|
rp-logout |
Request was initiated by a relying party (RP). |
idp-logout |
Request was initiated by an external identity provider (IdP). |
password-changed |
Request was initiated by a password change. |
session-expired |
Request was initiated when a session expires. |
Examples
Subscribe an application to all current and future initiators
PATCH /api/v2/clients/{yourClientId}
{
...
"oidc_logout": {
"backchannel_logout_urls": ["https://example.com/cb"]
"backchannel_logout_initiators": {
"mode":"all"
}
}
...
}
Was this helpful?
Subscribe an application to password-changed initiator only (rp-logout and idp-logout are required)
PATCH /api/v2/clients/{yourClientId}
{
...
"oidc_logout": {
"backchannel_logout_urls": ["https://example.com/cb"]
"backchannel_logout_initiators": {
"mode":"custom",
"selected_initiators": ["rp-logout", "idp-logout", "password-changed"]
}
}
...
}
Was this helpful?
Unsubscribe all initiators (rp-logout remains the default)
PATCH /api/v2/clients/{yourClientId}
{
...
"oidc_logout": {
"backchannel_logout_urls": ["https://example.com/cb"]
}
...
}
Was this helpful?