diff --git a/src/Controller/OpenIDConnectRedirectController.php b/src/Controller/OpenIDConnectRedirectController.php
index 3925c0f..27d7805 100644
--- a/src/Controller/OpenIDConnectRedirectController.php
+++ b/src/Controller/OpenIDConnectRedirectController.php
@@ -257,12 +257,16 @@ class OpenIDConnectRedirectController extends ControllerBase implements AccessIn
         user_logout();
 
         // Destroy session if provider supports it.
-        if (method_exists($client, 'endSession')) {
-          $redirect = $client->endSession();
-          return new RedirectResponse($redirect);
+        $endpoints = $client->getEndpoints();
+        if (!empty($endpoints['end_session'])) {
+          $redirect = $client->endSession($endpoints['end_session']);
+          $response = new TrustedRedirectResponse($redirect->getGeneratedUrl());
+          $response->addCacheableDependency($redirect);
+
+          return $response;
         }
         \Drupal::logger('openid_connect')
-          ->error('@provider plugin does not support log out. You are logged out of the site but not out of the OpenID Connect provider.', ['@provider' => $plugin_name]);
+          ->warning('@provider plugin does not support log out. You are logged out of the site but not out of the OpenID Connect provider.', ['@provider' => $plugin_name]);
       }
     }
     else {
diff --git a/src/Plugin/OpenIDConnectClientBase.php b/src/Plugin/OpenIDConnectClientBase.php
index 676f4cb..84f2961 100644
--- a/src/Plugin/OpenIDConnectClientBase.php
+++ b/src/Plugin/OpenIDConnectClientBase.php
@@ -202,6 +202,7 @@ abstract class OpenIDConnectClientBase extends PluginBase implements OpenIDConne
       '#title' => $this->t('Post-logout redirect URL'),
       '#type' => 'textfield',
       '#default_value' => $this->configuration['post_logout_redirect_url'],
+      '#description' => '"/": A path within the current site.',
     ];
     return $form;
   }
@@ -243,7 +244,11 @@ abstract class OpenIDConnectClientBase extends PluginBase implements OpenIDConne
    *   Redirect URL
    */
   public function getLogoutRedirectUrl() {
-    return $this->configuration['post_logout_redirect_url'];
+    return $this->configuration['post_logout_redirect_url']
+      ? Url::fromUserInput('/' . ltrim($this->configuration['post_logout_redirect_url'], '/'), [
+        'absolute' => TRUE,
+      ])->toString(TRUE)->getGeneratedUrl()
+      : '';
   }
 
   /**
@@ -428,17 +433,26 @@ abstract class OpenIDConnectClientBase extends PluginBase implements OpenIDConne
 
   /**
    * End user session.
+   *
+   * @param string $endpoint
+   *   End session endpoint.
+   *
+   * @return \Drupal\Core\GeneratedUrl
+   *   End session uri.
    */
-  public function endSession() {
-    $endpoints = $this->getEndpoints();
+  public function endSession($endpoint) {
+    $url_options = [];
     $post_logout_redirect_url = $this->getLogoutRedirectUrl();
-    $uri = $endpoints['end_session'] . '?post_logout_redirect_uri=' . $post_logout_redirect_url;
+    if ($post_logout_redirect_url) {
+      $url_options['query']['post_logout_redirect_uri'] = $post_logout_redirect_url;
+    }
     // To use id_token_hint implement hook_openid_connect_userinfo_save().
     $id_token = \Drupal::service('tempstore.private')->get('openid_connect_tokens')->get('id_token');
     if ($id_token) {
-      $uri .= '&id_token_hint=' . $id_token;
+      $url_options['query']['id_token_hint'] = $post_logout_redirect_url;
     }
-    return $uri;
+    return Url::fromUri($endpoint, $url_options)
+      ->toString(TRUE);
   }
 
 }