Logout endpoint: (v6.0)
To handle the logout, a logout endpoint is necessary to perform:
- the local logout by removing the pac4j profiles from the session
- the central logout by calling the identity provider logout endpoint. This is the Single-Log-Out (= SLO) process.
By default, it relies on the
DefaultLogoutLogic which has the following behaviour:
true, the pac4j profiles are removed from the web session (and the web session is destroyed if the
A post logout action is computed as the redirection to the
urlrequest parameter if it matches the
logoutUrlPatternor to the
defaultUrlif it is defined or as a blank page otherwise
true, the user is redirected to the identity provider for a central logout and then optionally to the post logout redirection URL (if it’s supported by the identity provider and if it’s an absolute URL). If no central logout is defined, the post logout action is performed directly.
The following options are available for the logout endpoint. They can be defined via setters, constructors, servlet parameters, etc… depending on the pac4j implementation:
It’s the security configuration.
It’s the default logout URL if no
url request parameter is provided or if the
url does not match the
logoutUrlPattern. It is an optional parameter, not defined by default.
It’s the logout URL pattern that the
url parameter must match. It is an optional parameter and only relative URLs are allowed by default.
It indicates whether a local logout must be performed. It is an optional parameter,
true by default.
It defines whether we must destroy the web session during the local logout. It is an optional parameter,
false by default.
It defines whether a central logout must be performed. It is an optional parameter,
false by default.
3) Logout requests from the identity provider
In case of a central logout, the SLO process happening at the identity provider will send logout requests to the applications. Yet, these logout requests will be received by the callback endpoint and not this logout endpoint.