Redirect Users with Alternative Logout

You can redirect users to a specific URL after they logout. You will need to register the redirect URL in your tenant or application settings. Auth0 only redirects to allow list URLs after logout. If you need different redirects for each application, you can add the URLs to the allow list in your application settings.

1. Add a returnTo query string parameter with the target URL as the value. Encode the target URL being passed in. For example, to redirect the user to https://www.example.com after logout, make the following request: https://{yourDomain}/v2/logout?returnTo=http%3A%2F%2Fwww.example.com.

2. Add the non-encoded returnTo URL (for these examples, it is http://www.example.com) as an Allowed Logout URLs in one of two places:

   • Tenant Settings: For logout requests that do not include the client_id parameter you must add the returnTo URL (for example http://www.example.com) to the Allowed Logout URLs list in the Advanced tab of your Tenant Settings. For example: https://{yourDomain}/v2/logout?returnTo=http%3A%2F%2Fwww.example.com.

     To add a list of URLs that the user may be redirected to after logging out at the tenant level, go to the Tenant Settings > Advanced of the Auth0 Dashboard.

     

   • Auth0 Application Settings: For logout requests that include the client_id parameter you must add the returnTo URL (for example http://www.example.com) to the Allowed Logout URLs list in the Settings tab of your Auth0 app that is associated with the specified CLIENT_ID. For example: https://{yourDomain}/v2/logout?returnTo=http%3A%2F%2Fwww.example.com&client_id={clientId}

     To redirect the user after they log out from a specific application, you must add the URL used in the returnTo parameter of the redirect URL to the Allowed Logout URLs list in the Settings tab of your Auth0 application that is associated with the CLIENT_ID parameter.

     

When providing the URL list, you can:

1. Specify multiple, valid, comma-separated URLs.

2. Use * as a wildcard for subdomains (such as http://*.example.com).

If the client_id parameter is included and the returnTo URL is not set, the server returns the user to the first Allowed Logout URLs set in the Dashboard.

In order to avoid validation errors, make sure that you include the protocol part of the URL. For example, setting the value to *.example.com will result in a validation error, so you should use http://*.example.com instead.

Several providers support federated logout.

To redirect users from applications using federated logout, initiate federated logout with the following endpoint:

https://{yourDomain}/v2/logout?federated

You are responsible for ensuring your application terminates the user session before redirecting.

When the user reaches the /logout endpoint, Auth0 terminates the Auth0 session, redirects the user to the Identity Providers logout endpoint, and terminates the session with the Identity Provider.

• The validation of URLs provided as values to the returnTo parameter, the query string, and hash information provided as part of the URL are not taken into account.

• The behavior of federated logouts with social providers is inconsistent. Each provider will handle the returnTo parameter differently and for some it will not work. Please check your social provider's settings to ensure that they will accept the returnTo parameter and how it will behave.

• The URLs provided in the Allowed Logout URLs list are case-sensitive, so the URL used for logouts must match the case of the logout URL configured on the dashboard. However, do note that the scheme and host parts are case insensitive. For example, if your URL is http://www.Example.Com/FooHoo.html, the http://www.Example.Com portion is case insensitive, while the FooHoo.html portion is case sensitive.

If you are working with social identity providers such as Google or Facebook, you must set your Client ID and Secret for these providers in the Dashboard for the logout to function properly.

Use the returnTo parameter to specify how to redirect the user after logout.

Not all IdPs support returnTo.

For Facebook, the example code below uses the returnTo parameter and specifies a website for the redirect.

https://{yourDomain}/v2/logout?federated&
      returnTo=https://{yourDomain}/logout?returnTo=http://www.example.com
      &access_token={facebookAccessToken}

• Log Users Out of Applications
• Log Users Out of Auth0 with OIDC Endpoint
• Log Users Out of Identity Providers
• Log Users Out of SAML Identity Providers
• Check Login and Logout Issues