Platform
ScaiWave ScaiGrid ScaiCore ScaiBot ScaiDrive ScaiKey Models Tools & Services
Solutions
Organisations Developers Internet Service Providers Managed Service Providers AI-in-a-Box
Resources
Support Documentation Blog Downloads
Company
About Research Careers Investment Opportunities Contact
Log in

OIDC logout returns 404 for GLOBAL apps

Symptom#

A GLOBAL-scoped application tries to log a user out via something like:

scdoc
1
https://scaikey.scailabs.ai/oidc/logout?post_logout_redirect_uri=...&client_id=...

The browser sees a 404. The user stays signed in.

Cause#

There is no /oidc/logout route in ScaiKey. The URL was a guess; nothing serves it.

Real OIDC logout (RP-initiated end_session) endpoints in ScaiKey are:

  • Tenant-scoped: /api/v1/auth/tenants/{slug}/oauth/logout
  • Platform (for GLOBAL apps): /api/v1/platform/oauth/logout

A GLOBAL application doesn't have a tenant slug to put in the URL, which is why the tenant variant isn't usable — that's the right intuition. The fix is to use the platform variant, which resolves the user's tenant via the SSO session cookie instead of from the URL.

Fix#

Send users to:

scdoc
1
$SCAIKEY/api/v1/platform/oauth/logout?post_logout_redirect_uri=https%3A%2F%2Fyourapp.example%2Flogin&client_id=<your client_id>

Query parameters:

Parameter Required Notes
post_logout_redirect_uri recommended Where to send the user after logout. Should be registered in the app's logout_uris
id_token_hint optional The user's last ID token; helps ScaiKey identify the session if the cookie was lost
state optional Echoed back in the redirect for CSRF
client_id optional Your client_id — informational

The endpoint:

  1. Reads the SSO session cookie.
  2. Terminates the session (sets terminated_at, terminated_reason=user_logout).
  3. Clears the SSO cookie.
  4. Redirects to post_logout_redirect_uri if provided, otherwise to the default ScaiKey "signed out" page.

Discovery#

The platform .well-known/openid-configuration document includes end_session_endpoint pointing at the platform logout URL — modern OIDC libraries read this automatically when configured against the platform discovery URL. If your OIDC library is reading discovery, you shouldn't need to hardcode anything.

Auth UI behavior#

If you hit $SCAIKEY/auth/logout?post_logout_redirect_uri=... directly (the user-facing logout page rather than the OIDC endpoint), the page clears local browser state and then bounces to post_logout_redirect_uri. This works for GLOBAL apps too — it's a fine fallback if you want to control the visible "signing out…" message before redirect. Note it's a frontend page, not an OIDC end_session endpoint, so it doesn't appear in discovery.

Updated 2026-05-17 12:20:38 View source (.md) rev 1