dan last edited by dan
I've got a question about logout.
When logging in using the
/oauth2/tokenroute with the auth code grant, it seems the
/api/logoutroute does not revoke the refresh token.
Is intended? Is the best way to log out in this case is with the
/ouath2/logoutroute? How does that know which user to log out? there's no user id or refresh token property in the body.
dan last edited by dan
Yes, this is intended. This logs the user out by killing their HTTP session. It is all handled with cookies.
Revoking Refresh Tokens is considered a back channel logout which we don’t support in the OAuth portion of things. But you can use
/api/logoutif you want - it is just designed to remove cookies.
The purpose of the
/oauth2/logoutis to remove the SSO session, and call each of your configured logout URLs per application.
These logout URLs then would do whatever “logout” means for you. It may be removing your own HTTP session, or removing a refresh token for a particular application(s). Then the final step is to redirect to the final URL.
@dan: "...call each of your configured logout URLs per application."
- Do we have many logout URLs?
As you suggested,
/api/logoutremoves cookies, what should I do to remove the SSO Session from the Native App itself?
Basically, from the Android App, when we call
/api/logout& remove any locally saved state info, and then redirect to the Login page, as the FusionAuth session is still active, it just redirects back to the Consent screen and therefore back to the Application. Literally making the user not able to switch the accounts, until the fusionauth session is terminated.
/api/logoutdoesn't end the fusionauth session, I am left with only 1 option (with as much I've understood)
- Logout Action in the app.
- Redirects to FusionAuth SSO Page
- Redirects back to the Custom Consent Screen (as FA session is active)
- I add a "LOGOUT COMPLETELY" button redirecting to
/signin-backpage (containing a single button "Sign In Again")
- FA Logout Progress
- Redirects to
- Signin Back Button action to APP
- Finally APP opens, checks AuthState to be
- Authroize() redirects to
But I sincerely feel, this is too much, am I mistaken somewhere? There must be some best practices, which I want to know.
dan last edited by
when we call /api/logout & remove any locally saved state info
Can you try to send the user to
/oauth2/logoutdirectly? They'll be returned to the logout URL configured in the application. Will that not work?
Aah! that should work, with still having the
/signin-backbutton to take me to the app.