Logout link with return URL (OAuth)

Question

My application is integrated with Facebook, Google and Microsoft (using OAuth).

To logout from facebook I'm using the following URL:

https://www.facebook.com/logout.php?next=[YourAppURL]&access_token=[ValidAccessToken]

Is there something similar for Google and for Microsoft?

For Google I tried:

https://accounts.google.com/Logout?continue=http://localhost:51820

But it didn't work... It returns: The page you requested is invalid.

How can I get that URL logout?

Do you use OAuth for client-side (only JavaScript integration) or server-side (with the access codes and token exchange on your server)? Note that for server-side case, it is wrong to expose access-token to the client-side. Facebook provides no proper way to logout users who where authorized via server-side. — Vilmantas Baranauskas, Jun 12 '13 at 14:02

score 19 · Accepted Answer · edited May 23 '17 at 12:24

19

I finally got the right links:

Facebook:

https://www.facebook.com/logout.php?next=[YourAppURL]&access_token=[ValidAccessToken]

Source: A Working Facebook OAuth Logout URL

Google:

https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=[http://www.mysite.com]

Source: google account logout and redirect

Microsoft:

https://login.live.com/oauth20_logout.srf?client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URL]

Source: Server-side scenarios

Those links can be use like that in JavaScript:

function logout (){
document.location.href = "https://www.facebook.com/logout.php?next=[YourAppURL]&access_token=[ValidAccessToken]";
}

Suggestion to implement this: Logout from external login service (Gmail, facebook) using oauth

edited May 23 '17 at 12:24

Community

1
1

answered Jun 15 '13 at 19:58

amp

11,754
18
77
133

hi @amp tried with your Google sample it works fine! Do u have same for LinkedIn account...? – SHEKHAR SHETE Oct 25 '13 at 13:28
Thanks man. I wasted half my day finding the solution to redirect back to my home instead of Google login. This really worked. – vashishatashu Nov 13 '14 at 10:15

score 3 · Answer 2 · answered Jun 12 '13 at 06:57

3

You shouldn't be logging the user out of Facebook, Google, etc. You just need to log them out of your app. By redirecting them to accounts.google.com/Logout you're actually logging the user out of their Google account, which means if they also had Gmail open in another tab (say) they'd also be logged out of that. Similarly, if you redirect them to www.facebook.com/logout.php you're actually logging them out of Facebook, which means if they had Facebook open in another tab, they would be logged out of there as well.

Instead, all you should do, when the user logs out of your app, is "forget" the OAuth tokens.

answered Jun 12 '13 at 06:57

Dean Harding

159
2

1

I know that, but I'm asking first if they really want logout from the provider. This could be useful, for instance, in a public computer. – amp Jun 12 '13 at 08:28
3

Actually facebook states it in their policies that you MUST logout users from facebook as well if you offer "logout" button on your application. Unfortunately, they do not provide a correct way to do this if users have been authorized on the server-side. – Vilmantas Baranauskas Jun 12 '13 at 14:04
I allow login to a single account on my site through both username/password and social media. If you edit your account to change your password, and you logged in with username/password, you need to provide your old password (i.e. re-authenticate). If you logged in through Facebook, you should be required to re-authenticate with Facebook. But the only way to do that is to force logout from Facebook - if you don't, the Oauth authentication just succeeds immediately because your session is still logged in to facebook. – sootsnoot Feb 04 '16 at 01:37

Logout link with return URL (OAuth)

2 Answers2

Linked