Logout

Clients can initiate a logout by sending a GET request to the app's /.auth/logout endpoint.

GET /.auth/logout

Logging out does the following:

1. Clears authentication cookies from the current session.
2. Deletes the current user's tokens from the token store.
3. Performs a server-side logout on the identity provider, if supported.

The two providers which support server-side logout are Azure Active Directory and Google.

Post-Logout Redirection

By default, a successful logout will redirect the client to the /.auth/logout/done URL, which looks like the following:

You can change the post-logout landing page by adding the post_logout_redirect_uri query string parameter to the /.auth/logout URL. Both fully-qualified and relative URLs are supported, though relative URLs are recommended. It is also recommended to URL-encode the post_logout_redirect_uri value, but it is not always required.

GET /.auth/logout?post_logout_redirect_uri=/index.html

When using fully-qualified URLs, the URL must either be hosted in the same domain or must be in the Allowed External Redirect URLs list in the Azure Portal's Authentication / Authorization blade.

GET /.auth/logout?post_logout_redirect_uri=https%3A%2F%2Fmyexternalurl.com

If an external domain is not in this list, the post-logout redirect location will be ignored and a warning will be written to the application logs.

Examples

An HTML snippet can be used to create a logout link within a webpage. Here is a simple example:

<a href="/.auth/logout">Logout</a>