diff --git a/nginx.conf b/nginx.conf
index 9ffb913..91043d6 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -40,17 +40,19 @@ http {
 
     # Full logout: clears local session and redirects to Keycloak logout
     location = /logout {
-      limit_except GET POST { deny all; }  # allow both GET and POST
+      limit_except GET POST { deny all; }
 
       access_by_lua_block {
         local session = require("resty.session").start()
+        local id_token = session.data and session.data.id_token
         session:destroy()
 
-        local logout_url = os.getenv("KEYCLOAK_LOGOUT_URL")
-        if not logout_url then
-          ngx.status = 500
-          ngx.say("KEYCLOAK_LOGOUT_URL environment variable not set")
-          return
+        local redirect_uri = "https://demo.rhein-software.dev"
+        local logout_url = "https://sso.rhein-software.dev/realms/rheinsw/protocol/openid-connect/logout"
+                         .. "?post_logout_redirect_uri=" .. ngx.escape_uri(redirect_uri)
+
+        if id_token then
+          logout_url = logout_url .. "&id_token_hint=" .. ngx.escape_uri(id_token)
         end
 
         return ngx.redirect(logout_url)