Logging out users

The Yoco authorization server supports RP-Initiated Logout via the /oauth2/sessions/logout endpoint.

This endpoint enables you to notify the Yoco authorization server when a user logs out of your application.

Ensure the following conditions have been met:

1. You must provide at least one post_logout_redirect_uri when setting up your OAuth 2.0 client. This is the URL to which the user will be redirected after the Yoco authorization server has handled the logout request.
2. When the user logs out of your application, you should redirect them to the Yoco authorization server’s logout endpoint with the parameters indicated below:
   • id_token_hint: The ID token of the user who is logging out. This token should be passed as a query parameter.
   • post_logout_redirect_uri: The URL to which the user will be redirected after the logout process is complete. This should match one of the post_logout_redirect_uri values you provided when setting up your OAuth 2.0 client. All parameter values must be properly URL-encoded.
   • state: A state parameter containing a random value used to maintain state between the request and the callback. After the logout process is complete, the Yoco authorization server will include this value in the query params of the redirect URI.

Logout endpoint

1
GET /oauth2/sessions/logout?post_logout_redirect_uri=<URL_ENCODED_POST_LOGOUT_REDIRECT_URI>&id_token_hint=<ID_TOKEN>&state=<STATE>

Once the user has been logged out of the Yoco authorization server, they will be redirected to the post_logout_redirect_uri you specified in the request. The query params of the redirect URI will include the state value you provided in the request.