Identity Cloud


Endpoint to terminate authenticated end-user sessions, as per OpenID Connect Session Management 1.0 - draft 5.

To determine the end session endpoint URL, query the well-known configuration endpoint, for example, https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/.well-known/openid-configuration.

The endpoint supports the following query parameters:


The ID token corresponding to the identity of the end user the relying party is requesting to be logged out by AM.

Required: Yes


To support ending sessions when ID tokens are encrypted, AM requires the client ID to which AM issued the ID token.

Failure to include the client ID will result in error; AM needs the information in the client profile to decrypt the token.

This parameter is not compliant with the specification.

Required: Yes, if the ID token is encrypted.


The URL AM redirects to after logout.

For security reasons, the value of this parameter must match one of the values configured in the Post Logout Redirect URIs field under Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID > OpenID Connect in the AM admin UI.

If a logout redirection URL is specified, AM redirects the end user to it after they have been logged out.

If a logout redirection URL is not specified, AM returns an HTTP 204 message to indicate the user has been logged out.

Required: No

This example shows AM deleting a session when an encrypted ID token is provided, and redirecting the end user to the logout redirect URL specified:

$ curl --dump-header - \
--request GET \
HTTP/2 302
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 0
date: Mon, 12 Sep 2022 10:54:33 GMT
x-forgerock-transactionid: 1662980074396-8be189b347dba37449f4-234963
strict-transport-security: max-age=31536000; includeSubDomains; preload;
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Copyright © 2010-2023 ForgeRock, all rights reserved.