We already had a blog post on logging out, but the workaround provided in it does not work anymore.
One major change is that now user session info is shared between browser tabs. So for example if you log into https://aps.autodesk.com/ with a specific user account then open up https://www.autodesk.com/ and try to log in, the current user account will be used automatically without having to provide the credentials again.
Your APS app will also take advantage of the same thing.
But how could a different user log in then?
Just like on the Autodesk websites, before you are prompted to log in with a different user account, you have to log out.
We have a new logout endpoint, but just like the one used in the previous blog post, it does not allow just any redirect URIs, which means that you cannot take the user back to your website after logging out.
Note: only URIs that have been approved by the engineering team (mainly all the various Autodesk websites) are accepted by the logout endpoint. You can contact us to get your website allow-listed, but it might not be approved.
However, I don't think anyone really needs the logout endpoint to achieve what they want.
If you have a specific use case that is not covered below then let us know.
The two main purposes of logging out:
a) prevent the user from doing any further operations on your website
You can do this without calling the logout endpoint. You just have to consider the user logged out: delete all session data and access token used by your website.
b) enable the user to log in with a different user account
By default, if you trigger the login process via the authorize endpoint then it will end up with an access token for the account that is already available.
However, if you call it with the prompt=login query string parameter then the user will be able to provide the credentials of another user account:
