Logout Model

Summary

Keymate provides a structured logout model with five scopes that control the breadth of session termination — from a single user session to all sessions within a realm. Logout operations execute asynchronously with per-request status tracking, support bulk execution across multiple targets, and carry correlation identifiers and reasons for audit purposes. This model enables security teams and administrators to perform targeted, auditable session termination at the appropriate scope for each situation.

Why It Exists

Security incidents, compliance requirements, and administrative actions require session termination at different levels of breadth. A compromised credential may require terminating all sessions for a specific user. A vulnerable application may require terminating all sessions for that application across all users. A realm-wide security event may require terminating all sessions entirely. The logout model provides these capabilities with the auditability and operational visibility that enterprise environments demand.

Where It Fits in Keymate

Logout operations trigger session termination, which cascades through the session hierarchy and invalidates associated tokens. When a logout operation terminates a session, enhanced introspection returns inactive for tokens tied to that session. The logout model provides the operational interface; session governance handles the mechanics of termination and cascade.

Boundaries

This page covers logout scopes, asynchronous execution, status tracking, bulk operations, and audit correlation. It does not cover:

Session hierarchy and cascade mechanics — see Session Governance
Token revocation during context switching — see Token Exchange Model
Token claim structure — see Token Claims & Context

How It Works

Logout Scopes

The platform supports five logout scopes, ordered from narrowest to broadest:

Single session logout — Terminates one specific user session. Use this when a user logs out from a specific device or when an administrator needs to end a particular session without affecting the user's other sessions.
Client session logout — Terminates sessions for a specific application for a specific user. Use this to revoke a user's access to a particular application while leaving their other application sessions active.
User-level logout — Terminates all sessions for a specific user across all applications. Use this when a user's credentials are compromised or when an administrator needs to force complete re-authentication.
Application-level logout — Terminates all sessions for a specific application across all users. Use this when an application has a security vulnerability and all user sessions for that application must be invalidated.
Realm-wide logout — Terminates all sessions within a realm. Use this for critical security events that require complete session invalidation across the entire environment.

Asynchronous Execution

Logout operations execute asynchronously. When a caller submits a logout request, the platform accepts it and begins processing in the background. This design prevents logout operations — particularly broad-scope ones that affect many sessions — from blocking the caller. The caller receives an immediate acknowledgment and can track the operation's progress through status queries.

Status Tracking

Each logout request has a trackable status. After submitting a logout operation, administrators and systems can query the status to determine whether the operation is pending, in progress, or complete. This visibility is essential for broad-scope operations where termination of all affected sessions may take time.

Bulk Operations

The platform supports bulk logout, allowing multiple logout targets to be processed in a single request. Rather than issuing individual logout calls for each target, an administrator can submit a batch that includes multiple users, sessions, or applications. The platform processes these as a coordinated operation with unified status tracking.

Correlation and Reason

Every logout request carries a correlation identifier and a reason. The correlation identifier links the logout operation to the triggering event — such as a security incident ticket or an administrative action. The reason field records why the logout was initiated. Together, these fields provide an audit trail that connects session termination events to their business context.

Diagram

Example Scenario

Scenario

The security team detects that a user's credentials have been compromised. They need to terminate all of the user's active sessions immediately and record the incident reference for audit purposes.

Input

Actor: Security administrator
Resource: All sessions for the compromised user
Action: User-level logout with correlation to the security incident
Context: The user has active sessions across three applications, including sessions with child sessions in external systems

Expected Outcome

Applied — The platform accepts the user-level logout request, begins asynchronous termination of all the user's sessions, and returns a trackable status. Session governance cascades the termination to child sessions and external system sessions. The correlation identifier and reason ("credential compromise") are recorded for audit.
Why: User-level scope targets all sessions for the user. Asynchronous execution prevents blocking. Status tracking allows the security team to verify completion. Correlation links the termination to the incident record.

Common Misunderstandings

"Logout is synchronous and blocking" — No. Logout operations execute asynchronously. The caller receives an immediate acknowledgment and tracks progress through status queries. This design handles broad-scope operations that may affect thousands of sessions.
"Realm-wide logout only affects the requesting user" — No. Realm-wide scope terminates all sessions within the realm for all users. Use this scope with caution — it is intended for critical security events.
"There is no way to track whether a logout operation completed" — Each logout request has a trackable status that reports the operation's progress from submission through completion.

warning

Broad-scope logout operations (application-level and realm-wide) affect all users within the scope. Verify the intended scope before submitting the request. These operations cannot be undone — terminated sessions require re-authentication.

Design Notes / Best Practices

Use the narrowest scope that addresses the situation. Single session or client session logout is preferable to user-level logout when the concern is limited to a specific device or application.
Include meaningful correlation identifiers and reasons with every logout request. These fields are valuable during incident investigation and compliance audits.
Monitor the status of broad-scope logout operations to confirm that termination completed across all affected sessions, including cascaded child sessions.

tip

Combine user-level logout with account disablement for credential compromise scenarios. Logout terminates existing sessions, and disablement prevents new sessions from being created.

Immediate access revocation after credential compromise detection
Application-wide session termination during a security vulnerability response
Auditable administrative logout with incident correlation
Bulk session cleanup during scheduled maintenance or compliance operations

Session Governance

Session hierarchy and cascade termination triggered by logout

Token Claims & Context

Introspection that detects tokens invalidated by logout

Token Exchange Model

Token revocation during department context switching

Authorization

Policy evaluation affected by session and token state

Summary​

Why It Exists​

Where It Fits in Keymate​

Boundaries​

How It Works​

Logout Scopes​

Asynchronous Execution​

Status Tracking​

Bulk Operations​

Correlation and Reason​

Diagram​

Example Scenario​

Scenario​

Input​

Expected Outcome​

Common Misunderstandings​

Design Notes / Best Practices​

Related Use Cases​

Related Docs​