Implement logout
Terminate user sessions across your application and Scalekit
When implementing logout functionality, you need to consider three session layers where user authentication state is maintained:
-
Application session layer: Your application stores session tokens (access tokens, refresh tokens, ID tokens) in browser cookies. You control this layer completely.
-
Scalekit session layer: Scalekit maintains a session for the user and stores their information. When users return to Scalekit’s authentication page, their information is remembered for a smoother experience.
-
Identity provider session layer: When users authenticate with external providers (for example, Okta through enterprise SSO), those providers maintain their own sessions. Users won’t be prompted to sign in again if they’re already signed into the provider.
This guide shows you how to clear the application session layer and invalidate the Scalekit session layer in a single logout endpoint.
-
Create a logout endpoint
Section titled “Create a logout endpoint”Create a
/logoutendpoint in your application that handles the complete logout flow: extracting the ID token, generating the Scalekit logout URL, clearing session cookies, and redirecting to Scalekit.Express.js app.get('/logout', (req, res) => {// Step 1: Extract the ID token (needed for Scalekit logout)const idTokenHint = req.cookies.idToken;const postLogoutRedirectUri = 'http://localhost:3000/login';// Step 2: Generate the Scalekit logout URLconst logoutUrl = scalekit.getLogoutUrl(idTokenHint, // ID token to invalidatepostLogoutRedirectUri // URL that scalekit redirects after session invalidation);// Step 3: Clear all session cookiesres.clearCookie('accessToken');res.clearCookie('refreshToken');res.clearCookie('idToken'); // Clear AFTER using it for logout URL// Step 4: Redirect to Scalekit to invalidate the sessionres.redirect(logoutUrl);});Flask from flask import request, redirect, make_responsefrom scalekit import LogoutUrlOptions@app.route('/logout')def logout():# Step 1: Extract the ID token (needed for Scalekit logout)id_token = request.cookies.get('idToken')post_logout_redirect_uri = 'http://localhost:3000/login'# Step 2: Generate the Scalekit logout URLlogout_url = scalekit_client.get_logout_url(LogoutUrlOptions(id_token_hint=id_token,post_logout_redirect_uri=post_logout_redirect_uri))# Step 3: Create response and clear all session cookiesresponse = make_response(redirect(logout_url))response.set_cookie('accessToken', '', max_age=0)response.set_cookie('refreshToken', '', max_age=0)response.set_cookie('idToken', '', max_age=0) # Clear AFTER using it for logout URL# Step 4: Return response that redirects to Scalekitreturn responseGin func logoutHandler(c *gin.Context) {// Step 1: Extract the ID token (needed for Scalekit logout)idToken, _ := c.Cookie("idToken")postLogoutRedirectURI := "http://localhost:3000/login"// Step 2: Generate the Scalekit logout URLlogoutURL, err := scalekit.GetLogoutUrl(LogoutUrlOptions{IdTokenHint: idToken,PostLogoutRedirectUri: postLogoutRedirectURI,})if err != nil {c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})return}// Step 3: Clear all session cookiesc.SetCookie("accessToken", "", -1, "/", "", true, true)c.SetCookie("refreshToken", "", -1, "/", "", true, true)c.SetCookie("idToken", "", -1, "/", "", true, true) // Clear AFTER using it for logout URL// Step 4: Redirect to Scalekit to invalidate the sessionc.Redirect(http.StatusFound, logoutURL.String())}Spring Boot @GetMapping("/logout")public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException {// Step 1: Extract the ID token (needed for Scalekit logout)String idToken = request.getCookies() != null ?Arrays.stream(request.getCookies()).filter(c -> c.getName().equals("idToken")).findFirst().map(Cookie::getValue).orElse(null) : null;String postLogoutRedirectUri = "http://localhost:3000/login";// Step 2: Generate the Scalekit logout URLLogoutUrlOptions options = new LogoutUrlOptions();options.setIdTokenHint(idToken);options.setPostLogoutRedirectUri(postLogoutRedirectUri);URL logoutUrl = scalekitClient.authentication().getLogoutUrl(options);// Step 3: Clear all session cookies with security attributesCookie accessTokenCookie = new Cookie("accessToken", null);accessTokenCookie.setMaxAge(0);accessTokenCookie.setPath("/");accessTokenCookie.setHttpOnly(true);accessTokenCookie.setSecure(true);response.addCookie(accessTokenCookie);Cookie refreshTokenCookie = new Cookie("refreshToken", null);refreshTokenCookie.setMaxAge(0);refreshTokenCookie.setPath("/");refreshTokenCookie.setHttpOnly(true);refreshTokenCookie.setSecure(true);response.addCookie(refreshTokenCookie);Cookie idTokenCookie = new Cookie("idToken", null);idTokenCookie.setMaxAge(0);idTokenCookie.setPath("/");idTokenCookie.setHttpOnly(true);idTokenCookie.setSecure(true);response.addCookie(idTokenCookie); // Clear AFTER using it for logout URL// Step 4: Redirect to Scalekit to invalidate the sessionresponse.sendRedirect(logoutUrl.toString());}Important: The logout flow clears cookies AFTER extracting the ID token and generating the logout URL. This ensures the ID token is available for Scalekit’s logout endpoint.
-
Configure post-logout redirect URL
Section titled “Configure post-logout redirect URL”After users log out, Scalekit redirects them to the URL you specify in the
post_logout_redirect_uriparameter. This URL must be registered in your Scalekit dashboard under Dashboard > Authentication > Redirects > Post Logout URL.Scalekit only redirects to URLs from your allow list. This prevents unauthorized redirects and protects your users. If you need different redirect URLs for different applications, you can register multiple post-logout URLs in your dashboard.