Logout
Logout
A customer can log out to end access to any client application website. Logging out informs the client application website that the current user wishes to end the login session.
Logout can support multiple session layers
Client Application - This is the session inside the client application. Although Cognito is used to authenticate users, applications still need to track that the user has logged in to the client application. In client web applications, this is usually done by storing information in cookies. Users are logged out of the client application by clearing their session.
Global SSO - Cognito also maintains a session for the user and stores this information inside an SSO cookie. The next time a user is redirected to the Cognito Hosted Login, the user's information will be remembered. When a user logs out of Cognito, the SSO Cookie is cleared.
Identity Provider - Cognito supports sign in from different Identity Providers (for example, Facebook). When users attempt to sign in with any of these providers and they are already signed into the provider, they will not be prompted again to sign in. Identity Provider’s usually store their own cookies to manage this process.
Cognito Redirect after Logout
Cognito supports redirection to a target_url after the logout process is completed. (Each client needs to clear their own cookies). Usually, clients redirect to the client’s public landing page.
USTA Requirements:
Logging out of a single application, logs out of only the affected client application. Only the local application tokens are invalidated and cannot be refreshed. Logging out of a local application does not log out of all client applications.
Client applications need to keep track of their own logged-in state.
Client applications should update navigation links depending on the logged-in state. (i.e. login/logout link)
Client applications can implement cookies using their own methodology. (i.e. mobile clients may choose to implement secure storage)
User stays logged in when they close and open their browser and navigate back to the client application (cookies are retained)
Approach
Perform a local application logout only
Steps:
The client application should redirect to Cognito logout URL shown below
https://stage-account.usta.com /logout?client_id=[your_client_id&logout_uri=[your_logout_url]
For example:
https://stage-account.usta.com/logout?client_id=30pk4n30s5ti65u4jhi2v3kajm&logout_uri=http://localhost:8000/logged_out.html
The logout_uri must be whitelisted in the Cognito client to prevent URL redirect attacks or the user will see a general error like:
You should have provided all redirect urls in the https://ustadigital.atlassian.net/wiki/spaces/DEV/pages/1021182141 step of the documentation.
Global Logout is not part of the USTA logout strategy and should not be used in applications. It is only provided here for documentation purposes.
To perform global logout Client API should call POST https://{client-api}services.usta.com/ customers/me/logout endpoint and pass API Client credentials by bearer access token in the header:
Bearer {access_token}
without a body in the request.
EXAMPLE REQUEST
curl --location --request POST https://stage-services.usta.com/v1/customers/me/logout' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'Because it is global logout, all access tokens used by other clients will also be revoked. If any other client will try to use such revoked token in any service call it will lead to error like HTTP 400 “Access Token has been revoked”
Related article : How to check if a user is logged in