401 or 403 response using REST API for logout requests in OpenAM 11.0.2

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter a 401 Unauthorized: Access denied response or a 403 Forbidden: User is not an administrator response when using the REST API for logout requests in OpenAM 11.0.2. This occurs when using a POST request with the token cookie value and the json/sessions?_action=logout end point or clicking the Logout link from the User Profile page, and is only applicable if you have enabled the XUI interface.

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following response is received when performing a logout request using the REST API:

{ "code": 401, "reason": "Unauthorized", "message": "Access denied" }

You might see the following response instead if the logout request is triggered by clicking the Logout link on the User Profile page:

{"code":403,"reason":"Forbidden","message":"User is not an administrator."}

Recent Changes

Upgraded to OpenAM 11.0.2 and enabled the XUI interface.

Causes

Anonymous access is not permitted to the Sessions end point for the logout action, which prevents the logout request from succeeding.

Solution

This issue can be resolved by upgrading to OpenAM 12.0.0 or later; you can download this from BackStage.

Workaround

You can workaround this issue by using the legacy REST API to logout, for example:

$ curl -X POST -d "subjectid=AQIC5w...*AAJTSQACMDE.*" https://openam.example.com:8443/openam/identity/logout

Or disable the XUI interface (which is not supported in production in OpenAM 11.0.2) and return to the Classic UI instead.

Related Training

N/A

Related Issue Tracker IDs

OPENAM-4468 (Forbidden Request Error message appears when a user clicks Log out link)

OPENAM-4496 (REST sessions logout returns HTTP-403 Forbidden)