sqlpage.oidc_logout_url(redirect_uri)
Introduced in SQLPage 0.41.0.
Secure OIDC Logout
The sqlpage.oidc_logout_url function generates a secure logout URL for users authenticated via OIDC Single Sign-On.
When a user visits this URL, SQLPage will:
- Remove the authentication cookie
- Redirect the user to the OIDC provider's logout endpoint (if available)
- Finally redirect back to the specified
redirect_uri
Security Features
This function provides protection against Cross-Site Request Forgery (CSRF) attacks:
- The generated URL contains a cryptographically signed token
- The token includes a timestamp and expires after 10 minutes
- The token is signed using your OIDC client secret
- Only relative URLs (starting with
/) are allowed as redirect targets
This means that malicious websites cannot trick your users into logging out by simply including an image or link to your logout URL.
How to Use
select 'button' as component;
select
'Logout' as title,
sqlpage.oidc_logout_url('/') as link,
'logout' as icon,
'red' as outline;
This creates a logout button that, when clicked:
- Logs the user out of your SQLPage application
- Logs the user out of the OIDC provider (if the provider supports RP-Initiated Logout)
- Redirects the user back to your homepage (
/)
Examples
Logout Button in Navigation
select 'shell' as component,
'My App' as title,
json_array(
json_object(
'title', 'Logout',
'link', sqlpage.oidc_logout_url('/'),
'icon', 'logout'
)
) as menu_item;
Logout with Return to Current Page
select 'button' as component;
select
'Sign Out' as title,
sqlpage.oidc_logout_url(sqlpage.path()) as link;
Conditional Logout Link
select 'button' as component
where sqlpage.user_info('sub') is not null;
select
'Logout ' || sqlpage.user_info('name') as title,
sqlpage.oidc_logout_url('/') as link
where sqlpage.user_info('sub') is not null;
Requirements
- OIDC must be configured in your
sqlpage.json - If OIDC is not configured, this function returns NULL
- The
redirect_urimust be a relative path starting with/
Provider Support
The logout behavior depends on your OIDC provider:
| Provider | Full Logout Support |
|---|---|
| Keycloak | ✅ Yes |
| Auth0 | ✅ Yes |
| ❌ No (local logout only) | |
| Azure AD | ✅ Yes |
| Okta | ✅ Yes |
When the provider doesn't support RP-Initiated Logout, SQLPage will still remove the local authentication cookie and redirect to your specified URI.
Parameters
redirect_uri
The relative URL path where the user should be redirected after logout. Must start with `/`. Defaults to `/` if not provided.
basic_auth_password
basic_auth_username
client_ip
cookie
current_working_directory
environment_variable
exec
fetch
fetch_with_meta
hash_password
header
headers
hmac
link
oidc_logout_url
path
persist_uploaded_file
protocol
random_string
read_file_as_data_url
read_file_as_text
request_body
request_body_base64
request_method
run_sql
set_variable
uploaded_file_mime_type
uploaded_file_name
uploaded_file_path
url_encode
user_info
user_info_token
variables
version