Logout Confirmation¶
Overview¶
Most OIDC client libraries (e.g., oidc-client-ts, angular-auth-oidc-client) clear local token data before redirecting to the identity provider's logout endpoint. This means the user's frontend session is already destroyed by the time the server processes the logout.
To support logout confirmation in your application, you have two options:
- Frontend confirmation — Show your own dialog before calling
signoutRedirect()(or equivalent). No server-side setup needed. - Authifi's
/logout/confirmendpoint — Override your client library's default logout to redirect to Authifi's pre-logout confirmation page instead. This preserves the user's session until they confirm.
This guide covers Option 2 — using Authifi's server-side confirmation endpoint.
Option 1: Frontend confirmation
If you prefer to handle confirmation entirely in your app, simply show a dialog before calling your OIDC library's logout method. If the user confirms, call signoutRedirect() (or equivalent). If they cancel, do nothing. No server-side setup is required.
The /logout/confirm Endpoint¶
| Parameter | Required | Description |
|---|---|---|
client_id |
Recommended | Client ID. Used to look up showLogoutPrompt setting and apply branding. |
post_logout_redirect_uri |
Recommended | Redirect URI after logout. Also used as fallback for "stay signed in". |
id_token_hint |
Optional | ID token for session identification. Only used if client_id is not provided. |
state |
Optional | Opaque value returned to your redirect URI. Use to trigger post-logout cleanup (e.g., post_logout). |
show_prompt |
Optional | Override showLogoutPrompt. "true" = show prompt, "false" = skip to /session/end. |
The confirmation page presents the user with:
- "Yes, sign me out" — Proceeds with logout.
- "No, stay signed in" — Returns to the application with the session fully intact.
- 30-second auto-logout — If no action is taken, the user is automatically signed out.
- Active session info — Shows which other applications will be affected by the logout.
showLogoutPrompt Setting¶
Configured per-client in the Admin UI under Login/Logout settings:
true(default) — Shows the confirmation page.false— Redirects directly to/session/end, skipping confirmation.
Note
This setting only affects the /logout/confirm endpoint. The standard /session/end endpoint always logs the user out immediately regardless of this setting.
Integration Pattern¶
The same pattern applies regardless of OIDC library.
Important
Do not call your library's logout method (signoutRedirect(), logoff(), signOut(), etc.) when using this flow. These methods clear local tokens before redirecting, which defeats the purpose of the confirmation.
Step 1: Redirect to /logout/confirm¶
When the user clicks "Log out", navigate to the confirmation endpoint instead of calling your OIDC library's logout method:
function logout() {
const params = new URLSearchParams({
client_id: 'your-client-id',
post_logout_redirect_uri: 'https://your-app.com',
state: 'post_logout'
});
window.location.href = `https://your-auth-server.com/_api/auth/{tenantId}/logout/confirm?${params}`;
}
Step 2: Handle Post-Logout Cleanup¶
On app initialization, check for the state parameter and clean up local session data:
function handlePostLogoutCleanup(): boolean {
const urlParams = new URLSearchParams(window.location.search);
if (urlParams.get('state') !== 'post_logout') {
return false;
}
// Clean up URL
const url = new URL(window.location.href);
url.searchParams.delete('state');
window.history.replaceState({}, document.title, url.toString());
// Clear OIDC storage
for (const storage of [localStorage, sessionStorage]) {
Object.keys(storage).forEach((key) => {
if (key.startsWith('oidc.')) {
storage.removeItem(key);
}
});
}
// Clear library-specific state:
// - oidc-client-ts: userManager.removeUser()
// - angular-auth-oidc-client: oidcSecurityService.logoffLocal()
// - next-auth: signOut({ redirect: false })
return true;
}
// On app startup:
if (!handlePostLogoutCleanup()) {
// Normal auth initialization
}
Cancellation¶
If the user clicks "No, stay signed in", the browser navigates back to the application. No tokens were cleared, so the session is fully preserved. No action is needed in your app.
Skipping the Confirmation¶
To use the /logout/confirm routing without showing the prompt (e.g., during an idle timeout), either:
-
Pass
show_prompt=falseas a query parameter: -
Or set
showLogoutPrompt: falsein the client's configuration via the Admin UI.