Endpoint to terminate authenticated end-user sessions, as per OpenID Connect Session Management 1.0 - draft 5.

Query the well-known configuration endpoint for the realm to determine the URL of the end session endpoint. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/subrealm1/.well-known/openid-configuration.

The endpoint supports the following query parameters:


The ID token corresponding to the identity of the end user the relying party is requesting to be logged out by AM.

Required: Yes


To support ending sessions when ID tokens are encrypted, AM requires that the request to the end session endpoint includes the client ID to which AM issued the ID token.

Failure to include the client ID will result in error; AM needs the information in the client profile to decrypt the token.

This parameter is not compliant with the specification.

Required: Yes, if the ID token is encrypted.


The URL AM will redirect to after logout.

For security reasons, the value of this parameter must match one of the values configured in the Post Logout Redirect URIs field of the client profile.

If a logout redirection URL is specified, AM redirects the end user to it after they have been logged out.

If a logout redirection URL is not specified, AM returns an HTTP 204 message to indicate the user has been logged out, and does not perform more actions.

Required: No

To log out an end user from AM, perform a call to the end session endpoint and provide the access token granted in an OpenID Connect flow as an authorization bearer header.

The following example shows AM deleting a session when an encrypted ID token is provided:

$ curl --dump-header - \
--request GET \
--header "Authorization: Bearer U-Wjlv-w1jtpuBVWUGFV6PwI_nE" \
HTTP/1.1 204 No Content
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Date: Wed, 20 Mar 2019 15:47:13 GMT
Read a different version of :