Help on OIDC logout to terminate session on OpenID Provider
Use-case: 1 tenant = 1 ZITADEL Org, each Org has its own OIDC IdP (ZITADEL as RP, external OpenID Provider)
Environment: Self Hosting
Version: 3.3.0
Stack: K8S on EKS, RDS postgres, microservices, ZITADEL TypeScript login V2
Dear ZITADEL team,
Our setup is:
• ZITADEL instance: https://zitadel.mycompany.com
• Login V2 app (Next.js): https://login.mycompany.com
• PKCE web app: https://app.mycompany.com (OIDC project with Login V2 enabled)
• N Organizations (1 per Tenant)
• Each Org has: the project granted + its own OIDC IdP (e.g., https://idp.thirdparty.net)
• Users provisioned with IdP Links
Login:
User reaches https://app.mycompany.com → redirected to Login V2 → discovers Org → redirected to third-party IdP login page.
After successful auth, flows through : ZITADEL IdP callback → Login V2 callback → back to app PKCE callback.
Until here all good.
Logout:
On the logout, seems we are only terminating the ZITADEL session.
From the app, we call:
This terminates the ZITADEL session and redirects back to the app. But it does not log the user out from the third-party IdP (https://idp.thirdparty.net).
---
Main Question:
Since ZITADEL acts as RP towards the external IdP, are we supposed to manually call the external IdP’s end_session_endpoint ourselves (e.g., via post_logout_redirect or frontend logic after ZITADEL logout)?
Or is there a way for ZITADEL to propagate the logout to the external IdP automatically in this IdP-initiated Login V2 setup?
Has anyone encountered the same use case using Login V2?
I'd appreciate some light here.
Thanks.
Environment: Self Hosting
Version: 3.3.0
Stack: K8S on EKS, RDS postgres, microservices, ZITADEL TypeScript login V2
Dear ZITADEL team,
Our setup is:
• ZITADEL instance: https://zitadel.mycompany.com
• Login V2 app (Next.js): https://login.mycompany.com
• PKCE web app: https://app.mycompany.com (OIDC project with Login V2 enabled)
• N Organizations (1 per Tenant)
• Each Org has: the project granted + its own OIDC IdP (e.g., https://idp.thirdparty.net)
• Users provisioned with IdP Links
Login:
User reaches https://app.mycompany.com → redirected to Login V2 → discovers Org → redirected to third-party IdP login page.
After successful auth, flows through : ZITADEL IdP callback → Login V2 callback → back to app PKCE callback.
https://zitadel.mycompany.com/idps/callback?code=...https://zitadel.mycompany.com/idp/oidc/success?id=...&organization=...&.requestId=oidc_V2_..&user=....https://app.mycompany.com/callback?code=...&state=...Until here all good.
Logout:
On the logout, seems we are only terminating the ZITADEL session.
From the app, we call:
This terminates the ZITADEL session and redirects back to the app. But it does not log the user out from the third-party IdP (https://idp.thirdparty.net).
---
Main Question:Since ZITADEL acts as RP towards the external IdP, are we supposed to manually call the external IdP’s end_session_endpoint ourselves (e.g., via post_logout_redirect or frontend logic after ZITADEL logout)?
Or is there a way for ZITADEL to propagate the logout to the external IdP automatically in this IdP-initiated Login V2 setup?
Has anyone encountered the same use case using Login V2?
I'd appreciate some light here.
Thanks.
