Problem logout using Fortiauthenticator OAUTH2 service

agrillea · ‎03-09-2025

Good morning, I urgently need help.
In one of my web applications I implemented oauth2 authentication using the OAUTH2 service present in FortiAuthenticator v6.6.1 via REST API, so I configured a confidential type relying party, openid type scope and some claims. The entire OAuth2 flow works well in the sense that I authenticate myself and the token is released to me but I would like to know how to log out. The log out is not documented in the documentation. I would like to know how to log out and have the cookie deleted with some command. The only way I get this effect is to delete the server history. Is there a way to do it or is it not provided??? Thanks in advance

Jean-Philippe_P · ‎03-12-2025

Hello agrillea,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Regards,
Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎03-13-2025

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Regards,
Jean-Philippe - Fortinet Community Team

agrillea · ‎03-13-2025

Maybe I found the solution but I wanted to have confirmation from you. In practice to log out via the rest api I first revoke the token and then log in again. This way it seems to work....but since it is not documented I wanted to know if it was correct. Thanks

Markus_M · ‎03-14-2025

Hi agrillea,

I think the method you have there, is good. The oauth logout endpoint on the API seems to not exist. What might help in addition (not answering your question) is the token expiry timer which by default sits at 10h. If you have automated accesses only, you could potentially work with lower timers, like 5 minutes or so.

Best regards,

Markus

- Markus

agrillea · ‎10-09-2025

We are currently working with a client using FortiAuthenticator v6.6.1, and we've encountered some challenges in integrating their web applications with our internal OIDC/OAuth2 service. Specifically, this version does not provide a dedicated API for logging out users. As a workaround, we have been using the revoke_token API to invalidate the session, and then attempting to force a re-authentication via an iframe.

However, we've noticed that even after performing these actions, the user session often remains active, and users are sometimes able to re-enter the system without completing the full login process. This behavior seems to suggest that the session is not being fully terminated, despite the token being revoked.

Given these challenges, we are considering an upgrade to a more recent version of FortiAuthenticator. We would appreciate any insights or recommendations regarding whether this issue has been addressed in later releases, or if there are any best practices that could help us ensure proper session termination and logout functionality in v6.6.1.

Thank you for your time and support. We look forward to your feedback.

Best regards,

Markus_M · ‎10-12-2025

You would want to check and compare logs of when it sometimes works and sometimes doesn't. See if you have that occurrence for the same user, and try to spot what the reason for different results on the same query is.

- Markus

agrillea · ‎10-13-2025

I've conducted extensive testing and research, and found that I'm not the only one experiencing the issue described below. I’d like to understand whether it would be better to migrate to a more stable version, or if there’s a possible workaround.

I’m currently integrating the internal OIDC/OAuth2 service (version v6.6.1) with 20 React web applications. I’ve configured the Relying Party document within FortiAuthenticator and customized the login page to match the visual style of the web applications.

However, during the logout process, I discovered that version 6.6.1 does not provide a dedicated logout API. Instead, token revocation is required, and FortiAuthenticator must then be redirected to the login page through an iframe, which is what I implemented. Afterward, I reload the URL to display the login form again.

Functionally, this works — but upon checking the Administration Console under the monitoring section, I noticed that even though the system correctly redirects to the credentials page, it still creates a new token.

In practice, each logout triggers the creation of a new token . These tokens remain active until the session naturally expires, leading to an accumulation of unused tokens. Considering a setup with 20 applications and 100 users, this behavior results in a large number of tokens and open sessions persisting for hours, potentially impacting performance and resource management.

. I attach the react code fragment: export const handleLogout= async (accesstoken,refreshToken) => {

if (accesstoken) {
try {

// Token revocation
const response = await fetch(`${process.env.REACT_APP_PROXY_URL}/oauth/revoke_token/`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ token: accesstoken }),
});

if (!response.ok) {
throw new Error("Error revoking token");
}

// Creating the iframe for logout
try {

const iframe = document.createElement('iframe');
iframe.style.display = 'none';
iframe.src=`${process.env.REACT_APP_FORTI}/login/?next=/`;
document.body.appendChild(iframe);

} catch (error) {
alert("ERROR creating the iframe");
}

const SSO_CLIENT_ID = process.env.REACT_APP_CLIENT_ID;
const SSO_REDIRECT_URI = process.env.REACT_APP_REDIRECT_URI;
const SSO_AUTH_URL = process.env.REACT_APP_AUTH_URL;
const SSO_SCOPE = process.env.REACT_APP_SCOPE;

window.location.href = `${SSO_AUTH_URL}?response_type=code&client_id=${SSO_CLIENT_ID}&redirect_uri=${encodeURIComponent(SSO_REDIRECT_URI)}&scope=${encodeURIComponent(SSO_SCOPE)}&site=${encodeURIComponent('calabria')}`;

} catch (error) {
alert("Error logging out: " + error.message);
}
}
};

THANKS in Advance

Problem logout using Fortiauthenticator OAUTH2 service

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website