Skip to content
Duende Software Docs
Introducing the next era of Duende IdentityServer. Read our CEO’s announcement

End Session Endpoint

The end session endpoint can be used to trigger single sign-out in the browser ( see spec).

To use the end session endpoint a client application will redirect the user’s browser to the end session URL. All applications that the user has logged into via the browser during the user’s session can participate in the sign-out.

The URL for the end session endpoint is available via discovery.

  • id_token_hint

    When the user is redirected to the endpoint, they will be prompted if they really want to sign-out. This prompt can be bypassed by a client sending the original id_token received from authentication. This is passed as a query string parameter called id_token_hint.

  • post_logout_redirect_uri

    If a valid id_token_hint is passed, then the client may also send a post_logout_redirect_uri parameter. This can be used to allow the user to redirect back to the client after sign-out. The value must match one of the client’s pre-configured PostLogoutRedirectUris.

  • state

    If a valid post_logout_redirect_uri is passed, then the client may also send a state parameter. This will be returned back to the client as a query string parameter after the user redirects back to the client. This is typically used by clients to roundtrip state across the redirect.

GET /connect/endsession?id_token_hint=...&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A7017%2Findex.html

id_token_hint Validation

Section titled “id_token_hint Validation”

When a user is authenticated and an id_token_hint is provided, IdentityServer validates the hint against the current session using ValidateIdTokenHintAsync on EndSessionRequestValidator.

The default behavior uses a sid-first matching strategy:

  • If the id_token_hint contains a sid claim and the current session has a session ID, those two values are compared directly.
  • If no sid claim is present in the token, IdentityServer falls back to comparing the sub claim in the hint against the authenticated user’s subject ID.

There are three possible outcomes from this validation:

  • The hint matches the session - logout proceeds normally and the user is signed out without any extra prompts (assuming no other reason to show the prompt exists).
  • The hint does not match - the request is rejected and logout does not proceed.
  • The match is uncertain (RequiresConfirmation) - logout proceeds, but ShowSignoutPrompt is set to true so the logout UI shows a confirmation prompt to the user before completing sign-out.

You can customize this validation logic by subclassing EndSessionRequestValidator. See the End Session Request Validator reference for details.

.NET Client Library

Section titled “.NET Client Library”

You can use the Duende IdentityModel client library to programmatically create end sessions request URLs from .NET code.

Program.cs
var ru = new RequestUrl("https://demo.duendesoftware.com/connect/end_session");


var url = ru.CreateEndSessionUrl(
    idTokenHint: "...",
    postLogoutRedirectUri: "...");