Auth0 provides both /v2/logout and /oidc/logout endpoints. This article explains some differences between them and which should be used depending on the use case. 

• Logout Endpoints
• Open ID Connect (OIDC) Logout
• Alternative Logout

As of February 2023, a new standard logout endpoint was introduced, OIDC RP-Initiated Logout, available at https://{yourDomain}/oidc/logout. This endpoint enhances security measures over the existing custom logout endpoint found at https://{yourDomain}/v2/logout.

The fundamental differences and advantages of using the OIDC logout are outlined below:

1. Request Parameters and Validation:

• • Client ID: The OIDC logout optionally uses the client_id to validate the post-logout URL listed in the Allowed Logout URLs. If the client_id or id_token_hint is missing, it falls back to the tenant's allowed list.
  • Post Logout URL: OIDC logout uses post_logout_redirect_uri, and if this is left empty, it redirects users to a generic Auth0 landing page. In contrast, V2 logout uses returnTo, and an empty parameter results in an empty HTTP 200 response.
  • Logout Hints: OIDC logout supports additional parameters like id_token_hint or logout_hint, which provide assurance of the legitimacy of the logout request. V2 logout does not support these parameters.

1. Allowed Logout URLs: Both endpoints use the same configuration; however, OIDC logout offers extended validation by parsing and validating query parameters in the post_logout_redirect_uri.
2. Federated IdP Logout: Both endpoints support federated logout capabilities.
3. Confirmation Prompt: OIDC logout can include an optional IdP logout confirmation prompt, which is language-localized and customizable. This feature enhances security by ensuring the user confirms the logout action.
4. Endpoint Discovery: The OIDC logout endpoint can be discovered through the tenant’s .well-known public resource, facilitating easier integration and standard compliance. V2 logout does not provide such a discovery option.
5. Request Methods: OIDC logout accepts both GET and POST methods, providing more flexibility in how logout requests can be initiated. In contrast, V2 logout only supports GET requests.