Dynamic Post-Logout URLs in APEX
Introduction
When using single sign-on type authentication schemes like Social Sign-In, you need to define a Post-Logout URL in APEX so that the Authentication provider redirects your APEX App to a public page after it completes the logout. When you deploy your App to TEST and PROD, the Post-Logout URL (Public Page) changes with your instance URL. This introduces a challenge: the Post-Logout URL setup in APEX does not easily support dynamic values, so you must manually update it after deploying your App.
Background
The diagram below shows a typical logout flow for a Social Sign-In type Authentication Scheme. In my use case, I want the Authentication provider to redirect to a public page in my APEX App after the logout completes.
In the APEX Authentication Scheme, we can specify where we want APEX to go after logout is complete:
You can specify either:
Home Page - Attempts to go to the home page after logout; because the session is invalid, it then redirects to the login page. This is not suitable for Social Sign-In because it will just trigger another login with the Authentication Provider.
URL - You can specify a URL APEX should go to after the logout. Unfortunately, the Post-Logout URL field does not support APEX-style runtime substitution such as
f?p=&APP_ID.:9999. On the surface, the best you can do is enter a hard-coded URL, e.g.,https://example.com/ords/dev/logout-page. When deploying to TEST or PROD, we must change this URL manually (there is no API).
The Solution
The best workaround I have come up with is as follows.
1 - Create an Application Item
Create an Application Item to store the Post-Logout URL. Here is a screenshot of the Application Item, which, for my example, I have called AI_POST_LOGOUT_URL.
2 - Create an Application Setting
Create an Application Setting to store the Post-Logout URL. Here is a screenshot of an Application Setting named POST_LOGOUT_URL.
This means the first time you deploy your App to a new instance, you will need to change the URL to the appropriate URL for the target instance. Moving forward (as long as you have ‘On Upgrade Keep Value’ set to Yes), you will no longer have to change it.
3 - Populate the Application Item for New Sessions
You will need to set the application item AI_POST_LOGOUT_URL to the value of the Application setting when creating a new session. The easiest place to do this is in an ‘After Authentication’ Application Process. In the screenshot below, I am calling apex_session_state.set_value directly from the ‘After Authentication’ Process of my App.
BEGIN
-- Copy the environment-specific setting into session state once per login
apex_session_state.set_value
(p_item => 'AI_POST_LOGOUT_URL',
p_value => apex_app_setting.get_value('POST_LOGOUT_URL'));
END;
4 - Set the Post-Logout URL to the Value of the Application Item
Finally, we must set the Post-Logout URL to the value of the Application Item AI_POST_LOGOUT_URL:
Alternatives
Of course, you do not have to use the APEX Application Setting to store the URL. You could store the URLs in your own table keyed on the instance SID/Service Name, but I think storing them in an APEX Application setting is more compact and standard APEX.
Because the Post-Logout URL ultimately controls the redirect, you should ensure it is fully trusted and not user-modifiable. Application Settings are ideal here because they are developer-controlled and not influenced by runtime user input.
Conclusion
This pattern has proven reliable and eliminates a common manual deployment step when using Social Sign-In in APEX.
