Identity Cloud

Invalidate a user’s sessions

To log out all sessions for a given user, first obtain a list of session handles of their active sessions. To do so, send an HTTP GET request to the /json/sessions/ endpoint, using the SSO token of an administrative user as the value of the <session-cookie-name> header.

Use a queryFilter to specify the user and the realm to search. You must specify the user’s UUID rather than their username. The following query filter obtains a list of session handles for bjensen in the alpha realm:

username eq "d8ff3025-d619-4547-83ab-750f568384f6" and realm eq "/alpha"

The query filter value must be URL-encoded when sent over HTTP.

For details on query filter parameters, refer to Query.

In the following example, there is one active session:

$ curl \
--request GET \
--header "<session-cookie-name>: AQICS…​NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/sessions?_queryFilter=username+eq+'d8ff3025-d619-4547-83ab-750f568384f6'and+realm+eq'/alpha'"
{
  "result": [
    {
      "username": "d8ff3025-d619-4547-83ab-750f568384f6",
      "universalId": "id=d8ff3025-d619-4547-83ab-750f568384f6,ou=user,o=alpha,ou=services,ou=am-config",
      "realm": "/alpha",
      "sessionHandle": "shandle:QiFiP7V7EiIcOmva96MJP4TTf58.AAJTSQACMDIAAlNLABx5QVR6YzNEQ1dWNGZKdEhRT0VnN2c3TzBKdUU9AAR0eXBlAANDVFMAAlMxAAIwMQ..",
      "latestAccessTime": "2022-09-27T10:13:10.597Z",
      "maxIdleExpirationTime": "2022-09-27T10:43:10Z",
      "maxSessionExpirationTime": "2022-09-27T12:13:10Z"
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1
}

To log out all sessions for the specific user, send an HTTP POST request to the /json/sessions/ endpoint. Use the SSO token of an administrative user as the value of the <session-cookie-name> header. Specify the logoutByHandle action and include an array of the session handles to invalidate in the POST body, in a property named sessionHandles. This example logs out all bjensen’s sessions:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "<session-cookie-name>: AQICS…​NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{
    "sessionHandles": [
        "shandle:SJ80.AA…​.JT.",
        "shandle:H4CV.DV…​.FM."
    ]
}' \
'https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/sessions/?_action=logoutByHandle'
{
    "result": {
        "shandle:SJ80.AA…​.JT.": true,
        "shandle:H4CV.DV…​.FM.": true
    }
}
Copyright © 2010-2022 ForgeRock, all rights reserved.