The hosted UI sign-out endpoint:
/logout
The /logout
endpoint is a redirection endpoint. It signs out the user
and redirects either to an authorized sign-out URL for your app client, or to the
/login
endpoint. The available parameters in a GET request to the
/logout
endpoint are tailored to Amazon Cognito hosted UI use cases.
To redirect your user to the hosted UI to sign in again, add a
redirect_uri
parameter to your request. A logout
request with a redirect_uri
parameter must also include parameters for
your subsequent request to the Login endpoint, like client_id
,
response_type
, and scope
.
The logout endpoint is a front-end web application for interactive user sessions with your customers. Your app must invoke this and other hosted UI endpoints in your users' browsers.
To redirect your user to a page that you choose, add Allowed sign-out
URLs to your app client. In your users' requests to the
logout
endpoint, add logout_uri
and
client_id
parameters. If the value of logout_uri
is
one of the Allowed sign-out URLs for your app client, Amazon Cognito
redirects users to that URL.
With single logout (SLO) for SAML 2.0 IdPs, Amazon Cognito first redirects your user to the
SLO endpoint you defined in your IdP configuration. After your IdP redirects your
user back to saml2/logout
, Amazon Cognito responds with one more redirect to the
redirect_uri
or logout_uri
from your request. For more
information, see Signing out SAML users with
single sign-out.
The logout endpoint doesn't sign users out of OIDC or social identity providers (IdPs). To sign users out from their session with an external IdP, direct them to the sign-out page for that provider.
GET /logout
The /logout
endpoint only supports HTTPS GET
. The
user pool client typically makes this request through the system browser. The
browser is typically Custom Chrome Tab in Android or Safari View Control in
iOS.
Request parameters
- client_id
-
The app client ID for your app. To get an app client ID, you must register the app in the user pool. For more information, see Application-specific settings with app clients.
Required.
- logout_uri
-
Redirect your user to a custom sign-out page with a logout_uri parameter. Set its value to the app client sign-out URL where you want to redirect your user after they sign out. Use logout_uri only with a client_id parameter. For more information, see Application-specific settings with app clients.
You can also use the logout_uri parameter to redirect your user to the sign-in page for another app client. Set the sign-in page for the other app client as an Allowed callback URL in your app client. In your request to the
/logout
endpoint, set the value of the logout_uri parameter to the URL-encoded sign-in page.Amazon Cognito requires either a logout_uri or a redirect_uri parameter in your request to the
/logout
endpoint. A logout_uri parameter redirects your user to another website. If both logout_uri and redirect_uri parameters are included in your request to the/logout
endpoint, Amazon Cognito will utilize the logout_uri parameter exclusively, overriding the redirect_uri parameter. - redirect_uri
-
Redirect your user to your sign-in page to authenticate with a redirect_uri parameter. Set its value to the app client Allowed callback URL where you want to redirect your user after they sign in again. Add client_id, scope, state, and response_type parameters that you want to pass to your
/login
endpoint.Amazon Cognito requires either a logout_uri or a redirect_uri parameter in your request to the
/logout
endpoint. To redirect your user to your/login
endpoint to reauthenticate and pass tokens to your app, add a redirect_uri parameter. If both logout_uri and redirect_uri parameters are included in your request to the/logout
endpoint, Amazon Cognito overrides the redirect_uri parameter and processes the logout_uri parameter exclusively. - response_type
-
The OAuth 2.0 response that you want to receive from Amazon Cognito after your user signs in.
code
andtoken
are the valid values for the response_type parameter.Required if you use a redirect_uri parameter.
- state
-
When your application adds a state parameter to a request, Amazon Cognito returns its value to your app when the
/oauth2/logout
endpoint redirects your user.Add this value to your requests to guard against CSRF
attacks. You can't set the value of a
state
parameter to a URL-encoded JSON string. To pass a string that matches this format in astate
parameter, encode the string to base64, then decode it in your application.Strongly recommended if you use a redirect_uri parameter.
- scope
-
The OAuth 2.0 scopes that you want to request from Amazon Cognito after you sign them out with a redirect_uri parameter. Amazon Cognito redirects your user to the
/login
endpoint with the scope parameter in your request to the/logout
endpoint.Optional if you use a redirect_uri parameter. If you don't include a scope parameter, Amazon Cognito redirects your user to the
/login
endpoint with a scope parameter. When Amazon Cognito redirects your user and automatically populatesscope
, the parameter includes all authorized scopes for your app client.
Example requests
Example – log out and redirect user to client
Except for logout_uri
and client_id
, all
possible query parameters for this endpoint are passed through to the Authorize endpoint. Amazon Cognito redirects user sessions to the URL in the value of
logout_uri
, ignoring all other request parameters, when
requests include logout_uri
and client_id
. This
URL must be an authorized sign-out URL for the app client.
The following is an example request for sign-out and redirect to
https://www.example.com/welcome
.
GET https://mydomain.auth.us-east-1.amazoncognito.com/logout? client_id=1example23456789& logout_uri=https%3A%2F%2Fwww.example.com%2Fwelcome
Example – log out and prompt the user to sign in as another user
When requests omit logout_uri
but otherwise provide the
parameters that make up a well-formed request to the authorize endpoint,
Amazon Cognito redirects users to hosted UI sign-in. The logout endpoint appends the
parameters in your original request to the redirect destination. The
parameter redirect_uri
in a request to the logout endpoint is
not a sign-out URL, but a sign-in URL that you want to pass through to the
authorize endpoint.
The following is an example request that signs a user out, redirects to
the sign-in page, and provides an authorization code to
https://www.example.com
after sign-in.
GET https://mydomain.auth.us-east-1.amazoncognito.com/logout? response_type=code& client_id=1example23456789& redirect_uri=https%3A%2F%2Fwww.example.com& state=example-state-value& nonce=example-nonce-value& scope=openid+profile+aws.cognito.signin.user.admin