/end-session

Browser logout endpoint for RP-initiated logout.

Endpoint

  • Methods: GET or POST
  • URL: https://sso.user.m7.org/end-session
  • Response: hosted HTML page

When to use it

Use this endpoint when your application wants to send the user's browser to M7 to end the current SSO session.

Request parameters

  • id_token_hint recommended
  • post_logout_redirect_uri optional
  • state optional
  • client_id optional
  • logout_hint optional
  • ui_locales optional

Example

https://sso.user.m7.org/end-session?id_token_hint=ID_TOKEN&post_logout_redirect_uri=https%3A%2F%2Fapp.example.com%2Flogout%2Fcallback&state=STATE123

Current behavior

The hosted page:

  • inspects the current local M7 session
  • validates id_token_hint when present
  • validates post_logout_redirect_uri against the registered client
  • asks the user to confirm logout

After logout:

  • if a valid post-logout return target is available, the browser is redirected there
  • otherwise the browser falls back to https://www.m7.org

If state was supplied and a validated redirect is used, state is appended to the final return URL.

Redirect validation rules

Current observed rules:

  • post_logout_redirect_uri must be https
  • it must exactly match one of the client's registered post_logout_redirect_uris
  • if post_logout_redirect_uri is sent, M7 needs client context from client_id or a valid id_token_hint

Notes

  • If id_token_hint is invalid or does not match the supplied client_id, the current implementation downgrades to a generic M7 logout flow instead of honoring RP-specific return context.
  • The legacy /logout route forwards here.