Skip to content

Logout (RP-initiated)

End the user's session everywhere with one redirect. Implements OIDC RP-Initiated Logout 1.0.

Build the URL

https://id.littlexlittle.org/oidc/logout ?id_token_hint=eyJ... (the user's id_token, optional but recommended) &post_logout_redirect_uri=https://yoursite.org/ (must be pre-registered) &state=RANDOM

What happens

  1. We invalidate the LXL session cookie at id.littlexlittle.org.
  2. We revoke all access and refresh tokens issued to this client for this user.
  3. We render a brief "Signing you out..." page if post_logout_redirect_uri is omitted.
  4. Otherwise we 302 back to your URL with ?state=... echoed.

Other clients the user signed into are not automatically logged out. If you need single-logout, listen for the account.signed_out webhook event and revoke local sessions yourself.

PHP example

php $logoutUrl = $client->logoutUrl([ 'id_token_hint' => $_SESSION['id_token'], 'post_logout_redirect_uri' => 'https://yoursite.org/', 'state' => bin2hex(random_bytes(8)), ]); session_destroy(); // clear local session first header('Location: ' . $logoutUrl);

Local-only logout

If you just want to clear your own session and stay signed into Little X Little (so other apps still work), don't redirect to /oidc/logout. Just clear your cookies.

Programmatic revocation (without UI)

Use RFC 7009 token revocation instead:

bash curl -X POST https://id.littlexlittle.org/oidc/revoke \ -d "token=$REFRESH_TOKEN" \ -d "token_type_hint=refresh_token" \ -d "client_id=YOUR_CLIENT_ID"

This returns 200 with no body (per spec) and revokes the entire chain.