How to integrate the Next Identity Hosted Journeys end session workflow
Ending a user's session with the Next Identity Journeys is an optional workflow in your integration with Next Identity.
In this user journey, if you'd like to end the hosted session for a user outside of the hosted screens (for example, in tandem with a logout function in your own application) you can call this endpoint.
If this endpoint is called, the user will no longer have an active session on the hosted screens should they return to the /authorize endpoint.
Endpoint URL
https://id.eu.nextreason.com/endsession?post_logout_redirect_uri=REDIRECT_URI&client_id=CLIENTID
Required Parameters
The following parameters must be included on every request.
| Parameter | Description |
|---|---|
post_logout_redirect_uri | Configures the URL the user is redirected to, after a successful endsession call. Important note: Ensure the URL is included in the list of allowed URLs for your integration. Contact your Next Reason consultant for assistance with adding URLs to the allowlist. |
client_id | ID used to authenticate the API call. |
Optional Parameters
The following parameter may be included in the request.
| Parameter | Description |
|---|---|
state | This state parameter is constructed by your application and included in the call to the hosted Next Identity service. It will remain unchanged and will be passed back to your application when the screen is redirected back. It is intended for use by your application to track user state. It should be an opaque value used to maintain state between the request and the callback.Typically for applications, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. This value is required on every call, but the hosted service does not use this value in any way, it is solely for use by the application. Doing so, the application can check and evaluate the value of the state parameter if it is correct or meets a specified criteria then perform expected actions or user journeys on the application-side. |
Response Handling
The endsession response typically includes parameters such as "logout" to indicate the success of the logout operation and "state" to manage session information or facilitate secure redirection post-logout.
Configuration Options
When calling the endsession endpoint, the integrating application can specify the redirect URL for users. This URL can be configured at the client level.
Important note: This URL must be included in the safe list configuration. Please contact your Next Reason consultant to add URLs to this list.
Error Handling
| Code | Error | Cause |
|---|---|---|
| 403 Forbidden | { "error": "http_exception", "error_details": { "message": "Forbidden" } } | Incorrect client_id |
Security Considerations
- Cross-Site Request Forgery (CSRF) Protection: Implement CSRF tokens or similar mechanisms to prevent CSRF attacks, where an attacker could manipulate a user into unknowingly logging out or performing unauthorized actions.
- Clear Session Data: Ensure that, upon logout, all session-related data stored on the server, as well as on the client-side (e.g., cookies or local storage), is cleared. This prevents unauthorized access in future sessions.
Integration
The /endsession endpoint is designed to end the user session if one is present. It can then redirect the user based on the post_logout_redirect_uri parameter. This is the endpoint you would use if you were attempting to end the session outside of the Next Identity Journeys hosted screens. The endsession request consists of the base domain + the endpoint (/endsession) + parameters.