Contact Support
This feature is currently available upon request. Contact our support team to have this feature enabled for your account.
Securely logging a user out is a critical part of session management. A complete logout process involves two main actions:
This is the standard flow where a user clicks a “Logout” button in your application.
Your application should have an endpoint, like /logout
, that handles the logout logic.
First, clear all session data stored by your application. This includes the accessToken
from cookies and the refreshToken
from your database.
// A function to clear session dataasync function clearSessionData(res, userId) { // Clear the access token cookie res.clearCookie('accessToken');
// Remove the refresh token from your database await db.deleteRefreshToken(userId);}
app.get('/logout', (req, res) => { // Assuming you have the user's ID from a verified session const userId = req.user.id; const idToken = req.cookies.idToken; // Or retrieve from session clearSessionData(res, userId);
// Proceed to invalidate the Scalekit session...});
from flask import Flask, session, request, redirect, make_responsefrom scalekit import LogoutUrlOptions
app = Flask(__name__)
@app.route('/logout')def logout(): user_id = session.get('user_id') id_token = request.cookies.get('idToken') post_logout_redirect_uri = 'http://localhost:3000/login'
# Clear local session data response = make_response() clear_session_data(response, user_id)
# Generate the Scalekit logout URL logout_url = scalekit.get_logout_url( LogoutUrlOptions( id_token_hint=id_token, post_logout_redirect_uri=post_logout_redirect_uri ) )
# Redirect to Scalekit to complete the logout return redirect(logout_url)
func logoutHandler(c *gin.Context) { userID := c.GetString("user_id") idToken, _ := c.Cookie("idToken") postLogoutRedirectURI := "http://localhost:3000/login"
// Clear local session data if err := clearSessionData(c, userID); err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return }
// Generate the Scalekit logout URL logoutURL, err := scalekit.GetLogoutUrl(LogoutUrlOptions{ IdTokenHint: idToken, PostLogoutRedirectUri: postLogoutRedirectURI, }) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return }
// Redirect to Scalekit to complete the logout c.Redirect(http.StatusFound, logoutURL.String())}
// A function to clear session dataprivate void clearSessionData(HttpServletResponse response, String userId) { // Clear the access token cookie Cookie cookie = new Cookie("accessToken", null); cookie.setMaxAge(0); cookie.setPath("/"); response.addCookie(cookie);
// Remove the refresh token from your database db.deleteRefreshToken(userId);}
@GetMapping("/logout")public void logout(HttpServletRequest request, HttpServletResponse response) { // Assuming you have the user's ID from a verified session String userId = (String) request.getSession().getAttribute("user_id"); String idToken = Arrays.stream(request.getCookies()) .filter(c -> c.getName().equals("idToken")) .findFirst() .map(Cookie::getValue) .orElse(null);
clearSessionData(response, userId);
// Proceed to invalidate the Scalekit session...}
After clearing your local session, redirect the user to the Scalekit logout endpoint. This will invalidate their session on Scalekit’s servers and then redirect them back to your application.
The Scalekit logout endpoint signature is:
{SCALEKIT_ENV_URL}/oidc/logout?id_token_hint={idToken}&post_logout_redirect_uri={postLogoutRedirectUri}
{SCALEKIT_ENV_URL}
with your Scalekit environment URL (e.g., https://app.scalekit.com
).{idToken}
is the user’s ID token.{postLogoutRedirectUri}
is the URL to redirect to after logout (must be registered in Scalekit).app.get('/logout', (req, res) => { const userId = req.user.id; const idTokenHint = req.cookies.idToken; const postLogoutRedirectUri = 'http://localhost:3000/login';
// Clear local session data clearSessionData(res, userId);
// Generate the Scalekit logout URL const logoutUrl = scalekit.getLogoutUrl({ idTokenHint, postLogoutRedirectUri });
// Redirect to Scalekit to complete the logout res.redirect(logoutUrl);});
from flask import session, request, redirect, make_responsefrom scalekit import LogoutUrlOptions
@app.route('/logout')def logout(): user_id = session.get('user_id') id_token = request.cookies.get('idToken') post_logout_redirect_uri = 'http://localhost:3000/login'
# Clear local session data response = make_response() clear_session_data(response, user_id)
# Generate the Scalekit logout URL logout_url = scalekit.get_logout_url( LogoutUrlOptions( id_token_hint=id_token, post_logout_redirect_uri=post_logout_redirect_uri ) )
# Redirect to Scalekit to complete the logout return redirect(logout_url)
func logoutHandler(c *gin.Context) { userID := c.GetString("user_id") idToken, _ := c.Cookie("idToken") postLogoutRedirectURI := "http://localhost:3000/login"
// Clear local session data if err := clearSessionData(c, userID); err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return }
// Generate the Scalekit logout URL logoutURL, err := scalekit.GetLogoutUrl(LogoutUrlOptions{ IdTokenHint: idToken, PostLogoutRedirectUri: postLogoutRedirectURI, }) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return }
// Redirect to Scalekit to complete the logout c.Redirect(http.StatusFound, logoutURL.String())}
@GetMapping("/logout")public void logout(HttpServletRequest request, HttpServletResponse response) throws IOException { String userId = (String) request.getSession().getAttribute("user_id"); String idToken = Arrays.stream(request.getCookies()) .filter(c -> c.getName().equals("idToken")) .findFirst() .map(Cookie::getValue) .orElse(null); String postLogoutRedirectUri = "http://localhost:3000/login";
// Clear local session data clearSessionData(response, userId);
// Generate the Scalekit logout URL LogoutUrlOptions options = new LogoutUrlOptions(); options.setIdTokenHint(idToken); options.setPostLogoutRedirectUri(postLogoutRedirectUri); // options.setState(state); // optional
URL logoutUrl = scalekit.authentication().getLogoutUrl(options);
// Redirect to Scalekit to complete the logout response.sendRedirect(logoutUrl.toString());}
The post logout redirect URI is the destination to which the user will be redirected after logging out. For example, take them to website landing page or a login page again. This must be registered post-logout URL in the Scalekit dashboard.
Backchannel logout enables coordinated logout across multiple applications that share the same Scalekit authentication. When a user logs out from one application, they’re automatically logged out from all connected applications for enhanced security.
Imagine your organization uses multiple applications—a project management tool, document sharing platform, and team chat application—all authenticated through Scalekit. Without backchannel logout, users must manually log out from each application individually, creating security risks if they forget to log out from some applications.
Backchannel logout solves this by automatically terminating all related sessions when logout occurs in any single application.
User initiates logout
A user logs out from one of your applications.
Scalekit sends notification
Scalekit sends a logout notification to your registered backchannel logout endpoint.
Application terminates sessions
Your application receives the notification, validates it, and terminates the user’s session from all connected applications.
This ensures that logging out from one application automatically logs the user out from all connected applications, providing a seamless and secure experience.
For enterprise customers using SSO, an administrator might initiate logout directly from their Identity Provider’s (IdP) dashboard (e.g., Okta). Scalekit supports this flow by notifying your application to terminate the user’s session.
When this feature is available, the flow will be as follows:
Contact Support
This feature is currently available upon request. Contact our support team to have this feature enabled for your account.