The Logout-Endpoint logs the user out of the WSC.
The URL is
The following parameters are optional:
||The URL where the user should be redirected to after Logout. Most match with the Redirect-URIs of the Client.|
||Recommended. An JWT Token, which is used to terminate all existing sessions with the Client.|
||a custom state from your application. Please see next chapter for using this param for security purposes|
State and Security
state param can be used to prevent CSRF and Clickjacking vulnerabilities.
state is sent in the authorization request and returned back in the response and should be a value that binds the user’s request to their authenticated
state. For example, state could be a hash of the user’s session cookie, or some other nonce that can be linked to the user’s session.
When a user begins an authorization flow on the client, a
state is generated that is unique to that user’s request. This value is stored somewhere only accessible to the client and the user, i.e. protected by the same-origin policy. When the user is redirected, the
state parameter is returned. The client validates the request by checking that the
state returned matches the stored value. If they match, it is a valid authorization request. If they do not match, it’s possible that someone intercepted the request or otherwise falsely authorized themselves to another user’s resources, and the request should be denied.
While the use of the
state parameter is not required, it is highly recommend that you implement it for the security of your own applications and data.
The user will be redirected to the given
state will be included, if given at the request.