Logout Endpoints

Global logout from the OAuth2 ecosystem.

Be careful when using the Logout Endpoint. What you achieve is a global logout. Since all applications profit from single sign on (only the first authorization requests expects the user to enter her/his credentials), requesting a logout has consequences for all applications of the user on the same device.

Please differentiate between finishing work with a particular application and globally logging the user out.

Session Logout

Invalidates the session, so that an "SSO logout" is achieved.

Request

Code snippet: URL
GET https://.../logout?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=...&scope=...
Parameters (note: parameters must be the same as for the Authorization Endpoint, so that a direct re-login can be achieved):
  • Base Address: the base adress of the OAuth2 Server - see Crew OAuth2 Server Overview
  • response_type: requested grant type. Only "code" is supported for this API
  • client_id: A unique identification of the client application (package key), which is assigned during application registration
  • code_challenge: PKCE code challenge according to RFC7636
  • code_challenge_method: PKCE code challenge method according to RFC7636
  • redirect_uri: A URI that will be called after the authentication and the authorization steps are done. The client application has to listen to this address, as it will be given the authorization code via this URI.
  • scope: A scope or scopes requested by the client - typically something like https://cms.fra.dlh.de/publicCrewApi

Note: The "userLang" used to call the backend systems is taken from out of the client "Accept-Language"-Header.

Response

Code Description Content-Type Schema
200 The login page of the current context. With the information that the user has been logged out successfully. text/html n/a

Example

Code snippet: Get request
GET https://oauth-test.lufthasa.com/logout?response_type=code
  &redirect_uri=myApp://callback/
  &scope=https://cms.fra.dlh.de/myScope
  &client_id=123456789012345678901234
  &code_challenge=1234567890123456789012345678901234567890123
  &code_challenge_method=S256

Backend Logout

Invalidates a specific access token, so that the logout for a specific app/backend is achieved.

Request

Code snippet: Post request
POST https://.../logout_backend
Header Attributes:
  • Content-Type: application/x-www-form-urlencoded
Body Parameters (note that parameters sent as query parameters are not accepted by the OA2 server):
  • client_id: A unique identification of the client application (package key), which is assigned during application registration.
  • client_secret: The secret of the client id
  • access_token: The token to be logged out/invalidated

Responses

Code Response Content-Type
200 { "status" : "success" } application/json

400 {"error_description": "Please provide the access_token parameter containing the actual access token.", "error" : "server_error "} application/json
400 {"error_description": "Please provide the client_id parameter containing the actual client id.", "error" : "server_error "} application/json
400 {"error_description": "Please provide the client_secret parameter containing the actual client secret.", "error" : "server_error "} application/json

Example

Code snippet: Post request
POST https://oauth-test.lufthansa.com/logout_backend?client_id=123456789012345678901234
  &client_secret=123456789
  &access_token=123456789012345678901234567890