/oauth2/connect/endSession
Endpoint to terminate authenticated end-user sessions, as per OpenID Connect Session Management 1.0 - draft 5.
Query the well-known configuration endpoint for the realm to determine the URL of the end session endpoint. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/.well-known/openid-configuration
.
The endpoint supports the following query parameters:
id_token_hint
The ID token corresponding to the identity of the end user the relying party is requesting to be logged out by AM.
Required: Yes
client_id
To support ending sessions when ID tokens are encrypted, AM requires that the request to the end session endpoint includes the client ID to which AM issued the ID token.
Failure to include the client ID will result in error; AM needs the information in the client profile to decrypt the token.
This parameter is
not
compliant with the specification.Required: Yes, if the ID token is encrypted.
post_logout_redirect_uri
The URL AM will redirect to after logout.
For security reasons, the value of this parameter must match one of the values configured in the Post Logout Redirect URIs field of the client profile.
If a logout redirection URL is specified, AM redirects the end user to it after they have been logged out.
If a logout redirection URL is not specified, AM returns an HTTP 204 message to indicate the user has been logged out, and does not perform more actions.
Required: No
This example shows AM deleting a session when an encrypted ID token is provided, and redirecting the end user to the logout redirect URL specified:
$curl --dump-header - \ --request GET \ "https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/connect/endSession?id_token_hint=eyJ0eXAiOiJKV1QiLCJra...&post_logout_redirect_uri=https://www.example.com:443/logout_callback&client_id=myClient"
HTTP/1.1 302 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: https://www.example.com:443/logout_callback Content-Length: 0 Date: Mon, 12 Sep 2022 09:33:45 GMT