Skip to content
Documentation
  • There are no suggestions because the search field is empty.

How to force a user's logout

This article explains the steps you can follow to force a user logout/terminate their session using the Login V2

The Login V2 internally leverages the sessions API, creating a session when the user logs in. This session is referenced by the SSO cookie stored in the browser when the login flow completes, allowing the user to retrieve new tokens without the need to provide their credentials.

To log the user out, or terminate their sessions, there are 2 alternatives:

  • The client (browser) can log the user out by calling the end_session_endpoint, which is an interactive endpoint, meaning that the user has to navigate to that URL, or
  • The internal session can be deleted using the sessions API, which is what is article focuses on.

Using the sessions API it is possible to retrieve, and delete those sessions, this is a 2 steps process:

1. Retrieve the sessions for that user:

POST <instance_domain>/v2/sessions/search

body: application/json 
{
  "queries": [
    {
      "userIdQuery": {
      "id": "<USER_ID>"
      }
    }
  ]
}

 

This will return all the sessions for that user, a more sophisticated query may be used to filter the results, see the following:

2. Delete the session by ID, using the ID from step 1

DELETE <instance_domain>/v2/sessions/<session_id>

After that, the user's session will be terminated.

Reference: