Help Center
Go to Console
Need help with Next Identity? Start here.
In this article
Endpoint URLRequired ParametersOptional ParametersResponse HandlingConfiguration OptionsError HandlingSecurity ConsiderationsIntegration
Home
Developer Experience
App Integration
Hosted Journeys OIDC Integration with Next Identity

How to call the sign out endpoint to end a user's session

Edited

Ending a user's session with the Next Identity Journeys is an optional workflow in your integration with Next Identity.

In this user journey, if you'd like to end the hosted session for a user outside of the hosted screens (for example, in tandem with a logout function in your own application) you can call this endpoint.

If this endpoint is called, the user will no longer have an active session on the hosted screens should they return to the /authorize endpoint.

Endpoint URL

End Session

https://id.eu.nextreason.com/endsession?post_logout_redirect_uri=REDIRECT_URI&client_id=CLIENTID

Required Parameters

The following parameters must be included on every request.

Parameter

Description

post_logout_redirect_uri

Configures the URL the user is redirected to, after a successful endsession call.

  • Important note*: Ensure the URL is included in the list of allowed URLs for your integration.

client_id

ID used to authenticate the API call.

Optional Parameters

The following parameter may be included in the request.

Parameter

Description

state

This state parameter is constructed by your application and included in the call to the hosted Next Identity service. It will remain unchanged and will be passed back to your application when the screen is redirected back. It is intended for use by your application to track user state. It should be an opaque value used to maintain state between the request and the callback.

Typically for applications, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. This value is required on every call, but the hosted service does not use this value in any way, it is solely for use by the application.

Doing so, the application can check and evaluate the value of the state parameter if it is correct or meets a specified criteria then perform expected actions or user journeys on the application-side.

Response Handling

The endsession response typically includes parameters such as "logout" to indicate the success of the logout operation and "state" to manage session information or facilitate secure redirection post-logout.

Configuration Options

When calling the endsession endpoint, the integrating application can specify the redirect URL for users. This URL can be configured at the client level.

Important note: This URL must be included in the safe list configuration. Please contact your Next Reason consultant to add URLs to this list.

Error Handling

Code

Error

Cause

403 Forbidden

{
"error": "http_exception",
"error_details": {
"message": "Forbidden"
}
}

Incorrect client_id

Security Considerations

  • Clear Session Data: Ensure that, upon logout, all session-related data stored on the server, as well as on the client-side (e.g., cookies or local storage), is cleared. This prevents unauthorized access in future sessions.

Integration

The /endsession endpoint is designed to end the user session if one is present. It can then redirect the user based on the post_logout_redirect_uri parameter. This is the endpoint you would use if you were attempting to end the session outside of the Next Identity Journeys hosted screens. The endsession request consists of the base domain + the endpoint (/endsession) + parameters.

Was this article helpful?

Sorry about that! Care to tell us more?

Thanks for the feedback!

There was an issue submitting your feedback
Please check your connection and try again.
Next IdentityPlatform StatusNext Identity Console