User logout
Ory Kratos supports two logout flows:
- Browser-based (easy): This flow works for all applications running on top of a browser. Websites, single-page apps, Cordova/Ionic, and so on.
- API-based (advanced): This flow works for native applications like iOS (Swift), Android (Java), Microsoft (.NET), React Native, Electron, and others.
Self-service logout for server-side browser applications
To ensure that a logout was indeed intended by the user, Ory Kratos first generates a Logout URL for a given Ory Session Cookie. You can then open the Logout URL in the Browser.
After successful logout, the browser will be redirected either to the return_to
query parameter from the initial request URL, or
fall back to the default_browser_return_url
value set in Ory Kratos' configuration file:
# kratos.yaml
selfservice:
flows:
logout:
after:
default_browser_return_url: http://test.kratos.ory.sh:4000/
- Node.js (Express.js, ...)
import { Configuration, V0alpha1Api } from '@ory/client';
const kratos = new V0alpha1Api(new Configuration({ basePath: 'https://playground.projects.oryapis.com/' }));
const route = (req: Request, res: Response) => {
kratos.createSelfServiceLogoutFlowUrlForBrowsers(req.cookies['ory_kratos_session']).then(({data}) => {
.then(({ data }) => {
console.log(data.logout_url) // The logout URL
console.log(data.logout_token) // The logout token
// You can render the logout URL like so:
// <a href="{{data.logout_url}}>Logout</a>
// Or call the logout token:
// kratos.submitSelfServiceLogoutFlow(data.logout_token).then(() => {
// Logged out
// })
})
}
If an error occurs, the browser is redirected to the Error UI.
Self-service logout for client-side browser applications
Similar to server-side browser applications, Ory Kratos first generates a Logout URL for a given Ory Session Cookie. However, you
can simply call the Logout URL using an AJAX request. Ory Kratos returns a 204 No Content
response on success or an error
otherwise.
The following scripts show you how to do the browser flow based on cURL. Prerequisites are a recent version of cURL and a registered account in Kratos.
Before we start, we need to log in:
# Username/email and password for an existing account
username="myuser@ory.sh"
password="mysecret"
# We use this cookie jar to initiate the login flow
cookieJar=$(mktemp)
# Initialize the flow
flow=$( \
curl -s -H "Accept: application/json" --cookie $cookieJar --cookie-jar $cookieJar \
'https://playground.projects.oryapis.com/self-service/login/browser' \
)
# Get the action URL
actionUrl=$(echo $flow | jq -r '.ui.action')
# Get the CSRF Token
csrfToken=$( \
echo $flow | \
jq -r '.ui.nodes[] | select(.attributes.name=="csrf_token") | .attributes.value' \
)
# Complete the login
session=$( \
curl -s --cookie $cookieJar --cookie-jar $cookieJar -X POST \
-H "Accept: application/json" -H "Content-Type: application/json" \
--data '{ "identifier": "'$username'", "password": "'$password'", "method": "password", "csrf_token": "'$csrfToken'" }' \
"$actionUrl" \
)
echo $session | jq
# Check the current user id
curl -s --cookie $cookieJar --cookie-jar $cookieJar -H "Accept: application/json" \
https://playground.projects.oryapis.com/sessions/whoami | \
jq -r ".id"
To logout, first get the generated Logout URL then point the Browser to it:
# Get the Logout URL
logoutUrl=$( \
curl -s --cookie $cookieJar --cookie-jar $cookieJar -H "Accept: application/json" \
https://playground.projects.oryapis.com/self-service/logout/browser | \
jq -r ".logout_url" \
)
# Complete the logout
curl -s --cookie $cookieJar --cookie-jar $cookieJar "$logoutUrl"
# Check the current user id again. It should be `null` after a successful logout
curl -s --cookie $cookieJar --cookie-jar $cookieJar -H "Accept: application/json" \
https://playground.projects.oryapis.com/sessions/whoami | \
jq -r ".id"
Self-service logout for API clients
API clients (such as native mobile apps) use Ory Session Tokens. To revoke such a token, call the logout API endpoint:
- curl
- Go
# Set your token here
session_token=8ziz8oCx0dsgXnoJJgElTQ60cNnbohAr
curl -s -v -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
--data '{"session_token": "'$session_token'"}' \
https://playground.projects.oryapis.com/self-service/logout/api
> DELETE /self-service/logout/api HTTP/1.1
> Host: 127.0.0.1:4433
> User-Agent: curl/7.64.1
> Accept: application/json
> Content-Type: application/json
> Content-Length: 53
< HTTP/1.1 204 No Content
< Cache-Control: private, no-cache, no-store, must-revalidate
< Vary: Cookie
< Date: Fri, 18 Jun 2021 09:42:04 GMT
package main
import (
"fmt"
"github.com/ory/kratos/examples/go/pkg"
ory "github.com/ory/kratos-client-go"
)
// If you use Open Source this would be:
//
//var client = pkg.NewSDKForSelfHosted("http://127.0.0.1:4433")
var client = pkg.NewSDK("playground")
func performLogout() {
// Create a temporary user
email, password := pkg.RandomCredentials()
_, sessionToken := pkg.CreateIdentityWithSession(client, email, password)
// Log out using session token
res, err := client.V0alpha2Api.SubmitSelfServiceLogoutFlowWithoutBrowserExecute(ory.V0alpha2ApiApiSubmitSelfServiceLogoutFlowWithoutBrowserRequest{}.
SubmitSelfServiceLogoutFlowWithoutBrowserBody(ory.SubmitSelfServiceLogoutFlowWithoutBrowserBody{SessionToken: sessionToken}))
pkg.SDKExitOnError(err, res)
}
func main() {
performLogout()
fmt.Println("Logout successful!")
}