Endpoint to terminate authenticated end-user sessions, as per OpenID Connect Session Management 1.0 - draft 5.
Query the well-known configuration endpoint
for the realm to determine the URL of the end session endpoint.
The endpoint supports the following query parameters:
The ID token corresponding to the identity of the end user the relying party is requesting to be logged out by AM.
To support ending sessions when ID tokens are encrypted, AM requires that the request to the end session endpoint includes the client ID to which AM issued the ID token.
Failure to include the client ID will result in error; AM needs the information in the client profile to decrypt the token.
This parameter is not compliant with the specification.
Required: Yes, if the ID token is encrypted.
The URL AM will redirect to after logout.
For security reasons, the value of this parameter must match one of the values configured in the Post Logout Redirect URIs field of the client profile.
If a logout redirection URL is specified, AM redirects the end user to it after they have been logged out.
If a logout redirection URL is not specified, AM returns an HTTP 204 message to indicate the user has been logged out, and does not perform more actions.
This example shows AM deleting a session when an encrypted ID token is provided, and redirecting the end user to the logout redirect URL specified:
$ curl --dump-header - \ --request GET \ "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/connect/endSession?id_token_hint=eyJ0eXAiOiJKV1QiLCJra…&post_logout_redirect_uri=https://www.example.com:443/logout_callback&client_id=myClient" HTTP/2 302 location: https://www.example.com:443/logout_callback x-content-type-options: nosniff x-frame-options: SAMEORIGIN content-length: 0 date: Mon, 12 Sep 2022 10:54:33 GMT x-forgerock-transactionid: 1662980074396-8be189b347dba37449f4-234963 strict-transport-security: max-age=31536000; includeSubDomains; preload; via: 1.1 google alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000