Fork me on GitHub

Logout endpoint: (v6.0)

To handle the logout, a logout endpoint is necessary to perform:

1) Behavior

By default, it relies on the DefaultLogoutLogic which has the following behaviour:

  1. If the localLogout property is true, the pac4j profiles are removed from the web session (and the web session is destroyed if the destroySession property is true)

  2. A post logout action is computed as the redirection to the url request parameter if it matches the logoutUrlPattern or to the defaultUrl if it is defined or as a blank page otherwise

  3. If the centralLogout property is true, the user is redirected to the identity provider for a central logout and then optionally to the post logout redirection URL (if it’s supported by the identity provider and if it’s an absolute URL). If no central logout is defined, the post logout action is performed directly.

2) Options

The following options are available for the logout endpoint. They can be defined via setters, constructors, servlet parameters, etc… depending on the pac4j implementation:

a) config

It’s the security configuration.

b) defaultUrl

It’s the default logout URL if no url request parameter is provided or if the url does not match the logoutUrlPattern. It is an optional parameter, not defined by default.

c) logoutUrlPattern

It’s the logout URL pattern that the url parameter must match. It is an optional parameter and only relative URLs are allowed by default.

d) localLogout

It indicates whether a local logout must be performed. It is an optional parameter, true by default.

e) destroySession

It defines whether we must destroy the web session during the local logout. It is an optional parameter, false by default.

f) centralLogout

It defines whether a central logout must be performed. It is an optional parameter, false by default.

3) Logout requests from the identity provider

In case of a central logout, the SLO process happening at the identity provider will send logout requests to the applications. Yet, these logout requests will be received by the callback endpoint and not this logout endpoint.