401 or 403 response using REST API for logout requests in OpenAM 11.0.2

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter a 401 Unauthorized: Access denied response or a 403 Forbidden: User is not an administrator response when using the REST API for logout requests in OpenAM 11.0.2. This occurs when using a POST request with the token cookie value and the json/sessions?_action=logout end point or clicking the Logout link from the User Profile page, and is only applicable if you have enabled the XUI interface.


This article has been archived and is no longer maintained by ForgeRock.


The following response is received when performing a logout request using the REST API:

{ "code": 401, "reason": "Unauthorized", "message": "Access denied" }

You might see the following response instead if the logout request is triggered by clicking the Logout link on the User Profile page:

{"code":403,"reason":"Forbidden","message":"User is not an administrator."}

Recent Changes

 Upgraded to OpenAM 11.0.2 and enabled the XUI interface.


Anonymous access is not permitted to the Sessions end point for the logout action, which prevents the logout request from succeeding.


This issue can be resolved by upgrading to OpenAM 12.0.0 or later; you can download this from BackStage.


You can workaround this issue by using the legacy REST API to logout, for example:

$ curl -X POST -d "subjectid=AQIC5w...*AAJTSQACMDE.*"

Or disable the XUI interface (which is not supported in production in OpenAM 11.0.2) and return to the Classic UI instead.

See Also

Logging out via REST API fails with no results message in OpenAM 11.0.1


Related Training


Related Issue Tracker IDs

OPENAM-4468 (Forbidden Request Error message appears when a user clicks Log out link)

OPENAM-4496 (REST sessions logout returns HTTP-403 Forbidden)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.