Logout
LumoAuth implements OpenID Connect RP-Initiated Logout. When your application ("relying party") wants to sign a user out of their LumoAuth session, redirect them to this endpoint. LumoAuth invalidates the session and, if configured, redirects the user back to your application.
GET|POST /orgs/{orgId}/api/v1/oauth/logout
Request Parameters
| Parameter | Required | Description |
|---|---|---|
id_token_hint | recommended | The ID token issued to the client. Used to identify the user and validate the client. |
client_id | Client ID (required when id_token_hint is not provided) | |
post_logout_redirect_uri | URL to redirect after logout. Must be pre-registered on the client. | |
state | Opaque value passed back in the redirect | |
logout_hint | Hint about the user to log out (e.g., email or sub) |
Initiate Logout (Redirect)
GET https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/logout?
id_token_hint=eyJhbGciOiJSUzI1NiIs...&
post_logout_redirect_uri=https%3A%2F%2Fapp.example.com%2Flogout-success&
state=xyz789
Logout Flow
- Redirect the user to the logout endpoint with
id_token_hint. - LumoAuth invalidates the user's SSO session.
- LumoAuth redirects to
post_logout_redirect_uri(if registered) withstate.
Post-Logout Redirect
After logout, the user is redirected to:
https://app.example.com/logout-success?state=xyz789
warning
If post_logout_redirect_uri is not registered for the client, the user lands on LumoAuth's default logout confirmation page.
Session Check (check_session iframe)
GET /orgs/{orgId}/api/v1/oauth/check_session
An iframe endpoint for check_session-based session monitoring (OpenID Connect Session Management 1.0). Embed this in a hidden iframe to detect SSO session changes without polling.
Related
- Authorization endpoint — start a new session
- Token formats — token lifetimes