Secure logout

Securely logging a user out is a critical part of session management. A complete logout process involves two main actions:

Clearing the application session: Removing session tokens from your application’s storage (e.g., browser cookies and backend database).
Invalidating the Scalekit session: Informing Scalekit to end the user’s session on its servers.

User-initiated logout

This is the standard flow where a user clicks a “Logout” button in your application.

Create a logout endpoint
Section titled “Create a logout endpoint”

Your application should have an endpoint, like /logout, that handles the logout logic.

Clear the application session

First, clear all session data stored by your application. This includes the accessToken from cookies and the refreshToken from your database.

1
// A function to clear session data
2
async function clearSessionData(res, userId) {
3
  // Clear the access token cookie
4
  res.clearCookie('accessToken');
5

6
  // Remove the refresh token from your database
7
  await db.deleteRefreshToken(userId);
8
}
9

10
app.get('/logout', (req, res) => {
11
  // Assuming you have the user's ID from a verified session
12
  const userId = req.user.id;
13
  const idToken = req.cookies.idToken; // Or retrieve from session
14
  clearSessionData(res, userId);
15

16
  // Proceed to invalidate the Scalekit session...
17
});

1
from flask import Flask, session, request, redirect, make_response
2
from scalekit import LogoutUrlOptions
3

4
app = Flask(__name__)
5

6
@app.route('/logout')
7
def logout():
8
    user_id = session.get('user_id')
9
    id_token = request.cookies.get('idToken')
10
    post_logout_redirect_uri = 'http://localhost:3000/login'
11

12
    # Clear local session data
13
    response = make_response()
14
    clear_session_data(response, user_id)
15

16
    # Generate the Scalekit logout URL
17
    logout_url = scalekit.get_logout_url(
18
        LogoutUrlOptions(
19
            id_token_hint=id_token,
20
            post_logout_redirect_uri=post_logout_redirect_uri
21
        )
22
    )
23

24
    # Redirect to Scalekit to complete the logout
25
    return redirect(logout_url)

1
func logoutHandler(c *gin.Context) {
2
    userID := c.GetString("user_id")
3
    idToken, _ := c.Cookie("idToken")
4
    postLogoutRedirectURI := "http://localhost:3000/login"
5

6
    // Clear local session data
7
    if err := clearSessionData(c, userID); err != nil {
8
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
9
        return
10
    }
11

12
    // Generate the Scalekit logout URL
13
    logoutURL, err := scalekit.GetLogoutUrl(LogoutUrlOptions{
14
        IdTokenHint: idToken,
15
        PostLogoutRedirectUri: postLogoutRedirectURI,
16
    })
17
    if err != nil {
18
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
19
        return
20
    }
21

22
    // Redirect to Scalekit to complete the logout
23
    c.Redirect(http.StatusFound, logoutURL.String())
24
}

1
// A function to clear session data
2
private void clearSessionData(HttpServletResponse response, String userId) {
3
    // Clear the access token cookie
4
    Cookie cookie = new Cookie("accessToken", null);
5
    cookie.setMaxAge(0);
6
    cookie.setPath("/");
7
    response.addCookie(cookie);
8

9
    // Remove the refresh token from your database
10
    db.deleteRefreshToken(userId);
11
}
12

13
@GetMapping("/logout")
14
public void logout(HttpServletRequest request, HttpServletResponse response) {
15
    // Assuming you have the user's ID from a verified session
16
    String userId = (String) request.getSession().getAttribute("user_id");
17
    String idToken = Arrays.stream(request.getCookies())
18
        .filter(c -> c.getName().equals("idToken"))
19
        .findFirst()
20
        .map(Cookie::getValue)
21
        .orElse(null);
22

23
    clearSessionData(response, userId);
24

25
    // Proceed to invalidate the Scalekit session...
26
}

Invalidate the Scalekit session

After clearing your local session, redirect the user to the Scalekit logout endpoint. This will invalidate their session on Scalekit’s servers and then redirect them back to your application.

The Scalekit logout endpoint signature is:

{SCALEKIT_ENV_URL}/oidc/logout?id_token_hint={idToken}&post_logout_redirect_uri={postLogoutRedirectUri}

Replace {SCALEKIT_ENV_URL} with your Scalekit environment URL (e.g., https://app.scalekit.com).
{idToken} is the user’s ID token.
{postLogoutRedirectUri} is the URL to redirect to after logout (must be registered in Scalekit).

1
app.get('/logout', (req, res) => {
2
  const userId = req.user.id;
3
  const idTokenHint = req.cookies.idToken;
4
  const postLogoutRedirectUri = 'http://localhost:3000/login';
5

6
  // Clear local session data
7
  clearSessionData(res, userId);
8

9
  // Generate the Scalekit logout URL
10
  const logoutUrl = scalekit.getLogoutUrl({
11
    idTokenHint,
12
    postLogoutRedirectUri
13
  });
14

15
  // Redirect to Scalekit to complete the logout
16
  res.redirect(logoutUrl);
17
});

1
from flask import session, request, redirect, make_response
2
from scalekit import LogoutUrlOptions
3

4
@app.route('/logout')
5
def logout():
6
    user_id = session.get('user_id')
7
    id_token = request.cookies.get('idToken')
8
    post_logout_redirect_uri = 'http://localhost:3000/login'
9

10
    # Clear local session data
11
    response = make_response()
12
    clear_session_data(response, user_id)
13

14
    # Generate the Scalekit logout URL
15
    logout_url = scalekit.get_logout_url(
16
        LogoutUrlOptions(
17
            id_token_hint=id_token,
18
            post_logout_redirect_uri=post_logout_redirect_uri
19
        )
20
    )
21

22
    # Redirect to Scalekit to complete the logout
23
    return redirect(logout_url)

1
func logoutHandler(c *gin.Context) {
2
    userID := c.GetString("user_id")
3
    idToken, _ := c.Cookie("idToken")
4
    postLogoutRedirectURI := "http://localhost:3000/login"
5

6
    // Clear local session data
7
    if err := clearSessionData(c, userID); err != nil {
8
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
9
        return
10
    }
11

12
    // Generate the Scalekit logout URL
13
    logoutURL, err := scalekit.GetLogoutUrl(LogoutUrlOptions{
14
        IdTokenHint: idToken,
15
        PostLogoutRedirectUri: postLogoutRedirectURI,
16
    })
17
    if err != nil {
18
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
19
        return
20
    }
21

22
    // Redirect to Scalekit to complete the logout
23
    c.Redirect(http.StatusFound, logoutURL.String())
24
}

1
@GetMapping("/logout")
2
public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException {
3
    String userId = (String) request.getSession().getAttribute("user_id");
4
    String idToken = Arrays.stream(request.getCookies())
5
        .filter(c -> c.getName().equals("idToken"))
6
        .findFirst()
7
        .map(Cookie::getValue)
8
        .orElse(null);
9
    String postLogoutRedirectUri = "http://localhost:3000/login";
10

11
    // Clear local session data
12
    clearSessionData(response, userId);
13

14
    // Generate the Scalekit logout URL
15
    LogoutUrlOptions options = new LogoutUrlOptions();
16
    options.setIdTokenHint(idToken);
17
    options.setPostLogoutRedirectUri(postLogoutRedirectUri);
18
    // options.setState(state);  // optional
19

20
    URL logoutUrl = scalekit.authentication().getLogoutUrl(options);
21

22
    // Redirect to Scalekit to complete the logout
23
    response.sendRedirect(logoutUrl.toString());
24
}

The post logout redirect URI is the destination to which the user will be redirected after logging out. For example, take them to website landing page or a login page again. This must be registered post-login URL in the Scalekit dashboard.

IdP-initiated logout Coming Soon

For enterprise customers using SSO, an administrator might initiate logout directly from their Identity Provider’s (IdP) dashboard (e.g., Okta). Scalekit supports this flow by notifying your application to terminate the user’s session.

When this feature is available, the flow will be as follows:

An IdP administrator initiates a logout.
The IdP sends a logout request to Scalekit.
Scalekit calls a pre-configured webhook endpoint on your application.
Your application receives the request, identifies the user, and clears their session data, effectively logging them out.

Contact Support

This feature is currently available upon request. Contact our support team to have this feature enabled for your account.

Backchannel logout Coming Soon

Consider a scenario where a organization or a workspace uses multiple applications that all authenticate through Scalekit: a project management tool, a document sharing platform, and a team chat application. When a user logs out from one application, they expect to be logged out from all applications automatically for security reasons.

Backchannel logout enables this coordinated logout across multiple applications. Instead of relying on users to manually log out from each application, the system automatically terminates all related sessions.

The flow will be as follows:

A user logs out from one of your applications.
Scalekit identifies all applications sharing the same user session.
Scalekit sends a logout notification to each application’s registered backchannel logout endpoint.
Each application receives the notification, validates it, and terminates the user’s session.

This ensures that logging out from one application automatically logs the user out from all connected applications, providing a seamless and secure experience.