TSphinxWebLogin: Add LogoutAndEndSession overload with post_logout_redirect_uri support

Owen_Dearman · May 7, 2026, 11:46am

Can we have a way to send a post-logout redirect URI along with the logout and end session request? I'm thinking about something like the following in TSphinxWebLogin:

procedure LogoutAndEndSession(const APostLogoutRedirectUri: string); overload;
or procedure LogoutAndEndSessionTo(const APostLogoutRedirectUri: string);

Unless I'm mistaken, currently SphinxLogin.LogoutAndEndSession does not send a post_logout_redirect_uri parameter and leaves the user at the "signed out" page. In our case, once signed out, we would like the browser to be redirected to the login page.

I've implemented the following workaround in our project that performs the desired behaviour. You can send a post-logout redirect with Client.BuildLogoutUrl, however client is strict protected and so cannot called from consuming code (hence the need for the wrapper).

TSphinxWebLoginCracker = class(TSphinxWebLogin)
public
    [Async]
    procedure LogoutAndEndSessionTo(const APostLogoutRedirectUri: string);
end;

procedure TSphinxWebLoginCracker.LogoutAndEndSessionTo(const APostLogoutRedirectUri: string);
var
    LIdToken: string;
    LEndSessionUrl: string;
begin
    LIdToken := '';
    if Storage.AuthResult <> nil then
        LIdToken := Storage.AuthResult.IdToken;

    Logout;
    LEndSessionUrl := await(Client.BuildLogoutUrl(LIdToken, APostLogoutRedirectUri));
    if LEndSessionUrl <> '' then
        window.location.href := LEndSessionUrl;
end;

Also note that the post-logout redirect URI has been added to SphinxClientApp.PostLogoutRedirectUris for validation. Is there a better way of implementing this behaviour, please?

wlandgraf · May 7, 2026, 1:28pm

I didn't understand your comment here.

Other than this, yes, it's a valid suggestion, but maybe just make the Client property public? With it, you can just build an call the logout url the way you want to.

Owen_Dearman · May 7, 2026, 1:58pm

It’s possible I’ve confused the issue, sorry.

For our workaround, we add APostLogoutRedirectUri (the value sent as post_logout_redirect_uri) to SphinxClientApp.PostLogoutRedirectUris, because I believe this is the allow-list used to validate whether that redirect URI is accepted or denied.

Making Client public would help us if that is the route you go for, thanks.

wlandgraf · May 7, 2026, 8:33pm

Yes, that's mandatory anyway, the server won't accept arbitrary post logout uris sent by clients, they have to be white listed in the ClientApp configuration.

Ok, will make the proper public for next version.

system · May 8, 2026, 8:33pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add a Silent LogoutAndEndSession procedure BIZ Feature Requests sphinx	1	12	May 19, 2026
Sphinx 2 not redirecting to the login page after user logout. TMS Sphinx	11	137	May 18, 2026
Enable adding values to Sphinx Headers BIZ Feature Requests sphinx	8	90	April 16, 2026
More TOTP questions TMS Sphinx	30	307	December 13, 2024
TSphinxWebLogin - OnUserLoggedIn Event not called TMS Sphinx	23	306	August 24, 2024

TSphinxWebLogin: Add LogoutAndEndSession overload with post_logout_redirect_uri support

Related topics