Access Management 7.3.2

/oauth2/connect/endSession

The /oauth2/connect/endSession endpoint is defined in OpenID Connect Session Management 1.0 - draft 5.

Use this endpoint to terminate authenticated end-user sessions. For details on ending session state, refer to Session management.

To find the URL for this endpoint, read the end_session_endpoint field of the well-known configuration endpoint for the realm:

$ curl https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/.well-known/openid-configuration
{
  "…​": "…​",
  "end_session_endpoint": "https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/connect/endSession",
  "…​": "…​"
}

Supported parameters

The end session endpoint supports the following query parameters:

Parameter Description Required

client_id

Uniquely identifies the application making the request.

This parameter is not compliant with the specification.

Yes, when the ID token is encrypted

id_token_hint

Previously issued ID token identifying the end user’s session.

Yes

post_logout_redirect_uri

Redirect to this URI after logout.

This must match one of the values in the Post Logout Redirect URIs setting of the client profile.

By default, this profile setting is empty. To update the setting in the AM admin UI, go to Realms > Realm Name > Applications > OAuth 2.0 > Client ID > OpenID Connect.

No

The post_logout_redirect_uri parameter determines the result on successful logout:

  • If included, AM redirects to the specified location.

  • If omitted, AM returns HTTP 204 No Content to indicate the end user logged out.

Example

AM deletes the end user’s session on successful logout and redirects to the post logout URL:

$ curl \
--dump-header - \
--request GET \
'https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/connect/endSession?id_token_hint=id-token&post_logout_redirect_uri=https://www.example.com/signout'
HTTP/2 302
…​
location: https://www.example.com/signout
content-length: 0
…​