Endpoint to terminate authenticated end-user sessions, as per OpenID Connect Session Management 1.0 - draft 5.

The end session endpoint supports the following query parameters:


The ID token corresponding to the identity of the end user the relying party is requesting to be logged out by AM.

Required: Yes


To support ending sessions when ID tokens are encrypted, AM requires that the request to the end session endpoint includes the client ID for which AM issued the ID token.

Failure to include the client ID will result in error; AM needs the information in the client profile to decrypt the token.

This parameter is not compliant with the specification.

Required: Yes, if the ID token is encrypted.


The URL AM will redirect the end user's user agent after the logout.

For security reasons, the value of this parameter must match the one configured in the Post Logout Redirect URIs field of the client profile.

If a logout redirection URL is specified, AM redirects the end user to it after they have been logged out.

If a logout redirection URL is not specified, AM returns an HTTP 204 message to indicate the user has been logged out, and does not perform more actions.

Required: No


Query the /oauth2/.well-known/openid-configuration endpoint to determine the URL of the end session endpoint.

To log out an end user from AM, perform a call to the end session endpoint and provide the access token granted in an OpenID Connect flow as an authorization bearer header.

The endpoint is always accessed from the root realm. For example, https://openam.example.com:8443/openam/oauth2/connect/endSession.

The following example shows AM deleting a session when an encrypted ID token is provided:

$ curl --dump-header - \
--request GET \
--header "Authorization: Bearer U-Wjlv-w1jtpuBVWUGFV6PwI_nE" \
HTTP/1.1 204 No Content
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Date: Wed, 20 Mar 2019 15:47:13 GMT
Read a different version of :