User logout

Ory Identities supports two logout flows:

• Browser-based (easy): This flow works for all applications running on top of a browser. Websites, single-page apps, Cordova/Ionic, and so on.
• API-based (advanced): This flow works for native applications like iOS (Swift), Android (Java), Microsoft (.NET), React Native, Electron, and others.

Self-service logout for server-side browser applications

To ensure that a logout was indeed intended by the user, Ory Identities first generates a Logout URL for a given Ory Session Cookie. You can then open the Logout URL in the Browser.

After successful logout, the browser will be redirected either to the return_to query parameter from the initial request URL, or fall back to the default_browser_return_url value set in Ory Identities' configuration file:

selfservice:
  flows:
    logout:
      after:
        default_browser_return_url: http://test.ory.sh:4000/

Node.js (Express.js, ...)

import { Configuration, V0alpha1Api } from '@ory/client';
const kratos = new V0alpha1Api(new Configuration({ basePath: 'https://playground.projects.oryapis.com/' }));

const route = (req: Request, res: Response) => {
  kratos.createSelfServiceLogoutFlowUrlForBrowsers(req.cookies['ory_kratos_session']).then(({data}) => {
    .then(({ data }) => {
      console.log(data.logout_url) // The logout URL
      console.log(data.logout_token) // The logout token

      // You can render the logout URL like so:
      // <a href="{{data.logout_url}}>Logout</a>

      // Or call the logout token:
      // kratos.submitSelfServiceLogoutFlow(data.logout_token).then(() => {
        // Logged out
      // })
    })
}

If an error occurs, the browser is redirected to the Error UI.

Self-service logout for client-side browser applications

Similar to server-side browser applications, Ory Identities first generates a Logout URL for a given Ory Session Cookie. However, you can simply call the Logout URL using an AJAX request. Ory Identities returns a 204 No Content response on success or an error otherwise.

The following scripts show you how to do the browser flow based on cURL. Prerequisites are a recent version of cURL and a registered account in Ory Identities.

Before we start, we need to log in:

# Username/email and password for an existing account
username="myuser@ory.sh"
password="mysecret"

# We use this cookie jar to initiate the login flow
cookieJar=$(mktemp)

# Initialize the flow
flow=$( \
  curl -s -H "Accept: application/json"  --cookie $cookieJar --cookie-jar $cookieJar \
    'https://playground.projects.oryapis.com/self-service/login/browser' \
)

# Get the action URL
actionUrl=$(echo $flow | jq -r '.ui.action')

# Get the CSRF Token
csrfToken=$( \
  echo $flow | \
    jq -r '.ui.nodes[] | select(.attributes.name=="csrf_token") | .attributes.value' \
)

# Complete the login
session=$( \
  curl -s --cookie $cookieJar --cookie-jar $cookieJar -X POST \
    -H "Accept: application/json" -H "Content-Type: application/json" \
    --data '{ "identifier": "'$username'", "password": "'$password'", "method": "password", "csrf_token": "'$csrfToken'" }' \
    "$actionUrl" \
)

echo $session | jq

# Check the current user id
curl -s --cookie $cookieJar --cookie-jar $cookieJar -H "Accept: application/json" \
  https://playground.projects.oryapis.com/sessions/whoami | \
  jq -r ".id"

To log out, first get the generated Logout URL then point the Browser to it:

# Get the Logout URL
logoutUrl=$( \
  curl -s --cookie $cookieJar --cookie-jar $cookieJar -H "Accept: application/json" \
    https://playground.projects.oryapis.com/self-service/logout/browser | \
    jq -r ".logout_url" \
)

# Complete the logout
curl -s --cookie $cookieJar --cookie-jar $cookieJar "$logoutUrl"

# Check the current user id again. It should be `null` after a successful logout
curl -s --cookie $cookieJar --cookie-jar $cookieJar -H "Accept: application/json" \
  https://playground.projects.oryapis.com/sessions/whoami | \
  jq -r ".id"

Self-service logout for API clients

API clients (such as native mobile apps) use Ory Session Tokens. To revoke such a token, call the logout API endpoint:

curl

# Set your token here
session_token=8ziz8oCx0dsgXnoJJgElTQ60cNnbohAr

curl -s -v -X DELETE \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  --data '{"session_token": "'$session_token'"}' \
  https://playground.projects.oryapis.com/self-service/logout/api

> DELETE /self-service/logout/api HTTP/1.1
> Host: 127.0.0.1:4433
> User-Agent: curl/7.64.1
> Accept: application/json
> Content-Type: application/json
> Content-Length: 53

< HTTP/1.1 204 No Content
< Cache-Control: private, no-cache, no-store, must-revalidate
< Vary: Cookie
< Date: Fri, 18 Jun 2021 09:42:04 GMT

Go

// Copyright © 2022 Ory Corp
// SPDX-License-Identifier: Apache-2.0

package main

import (
	"fmt"

	"github.com/ory/kratos/examples/go/pkg"

	ory "github.com/ory/kratos-client-go"
)

// If you use Open Source this would be:
//
//var client = pkg.NewSDKForSelfHosted("http://127.0.0.1:4433")
var client = pkg.NewSDK("playground")

func performLogout() {
	// Create a temporary user
	email, password := pkg.RandomCredentials()
	_, sessionToken := pkg.CreateIdentityWithSession(client, email, password)

	// Log out using session token
	res, err := client.V0alpha2Api.SubmitSelfServiceLogoutFlowWithoutBrowserExecute(ory.V0alpha2ApiApiSubmitSelfServiceLogoutFlowWithoutBrowserRequest{}.
		SubmitSelfServiceLogoutFlowWithoutBrowserBody(ory.SubmitSelfServiceLogoutFlowWithoutBrowserBody{SessionToken: sessionToken}))
	pkg.SDKExitOnError(err, res)
}

func main() {
	performLogout()
	fmt.Println("Logout successful!")
}