---
title: Session management
description: The OIDC session management 1.0 draft series defines a mechanism for a relying party (RP) to:
component: pingoneaic
page_id: pingoneaic:am-oidc1:session-management
canonical_url: https://docs.pingidentity.com/pingoneaic/am-oidc1/session-management.html
keywords: ["OpenID Connect (OIDC)", "Standards", "Endpoints", "Sessions"]
page_aliases: ["oidc1-guide:session-management.adoc"]
section_ids:
  session_management_state: Using the authorize and sessions endpoints
  session_management_flow: Session management flow
  enabling-session-management-10: Configure the provider and client
  session-management-draft5: Using the checkSession and endSession endpoints
  configure_the_client: Configure the client
  disable_session_management: Disable session management
---

# Session management

The OIDC session management 1.0 draft series defines a mechanism for a relying party (RP) to:

* Check with the OpenID provider (OP) if an OIDC session is still active based on an ID token.

* Terminate an authenticated session with the OP. For example, when the user logs out.

The process is transparent to the end user. An RP uses a hidden `<iframe>` to get the session state from the OP and take action when the state changes.

Advanced Identity Cloud supports [Draft 10](https://openid.net/specs/openid-connect-session-1_0-10.html) of the specification.

Advanced Identity Cloud offers two methods for OIDC session management, which use different endpoints to achieve the same result:

* [Using the `authorize` and `sessions` endpoints](#session_management_state)

  This method of session management is based on [Draft 10](https://openid.net/specs/openid-connect-session-1_0-10.html) of the OIDC Session Management specification.

* [Using the `checkSession` and `endSession` endpoints](#session-management-draft5)

  This method is based on earlier drafts of the specification.

## Using the `authorize` and `sessions` endpoints

This method uses the following endpoints for session management:

* [/oauth2/authorize](../am-oauth2/oauth2-authorize-endpoint.html)

  Retrieve session state.

* [/json/sessions](../am-authentication/logout-using-rest.html)

  Terminate an authenticated session.

### Session management flow

To check session state, create an `<iframe>` in your RP whose `src` attribute targets the `/oauth2/authorize` endpoint with the required parameters. The user-agent sends the tenant session cookie with the request.

![Session management draft 10 flow](_images/session-management-10.svg)

For example, a public client RP called `myClient` uses the following `<iframe src>` URL to request session state:

```none
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/authorize \
?client_id=myClient \
&response_type=none \
&id_token_hint=<id-token> \
&redirect_uri=https://www.example.com:443/callback \
&prompt=none
```

The query string parameters include these settings:

* `prompt=none`

  Don't display user interaction pages to the end user.

* `id_token_hint=<id-token>`

  The ID token to validate against the authenticated session.

* `response_type=none`

  Don't issue a token in the response.

The following table lists the responses:

| Advanced Identity Cloud responses | Request with `redirect_uri`                                                                                                                                                                                                        | Request without `redirect_uri`                                                                                                   |
| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| Valid session                     | Redirect to `redirect_uri` with no content.                                                                                                                                                                                        | Return HTTP 204 No Content.                                                                                                      |
| Invalid session                   | Redirect to `redirect_uri` with no content and an `error_description` parameter appended to the URL. For example, `https://www.example.com:443/callback?error_description=The%20request%20requires%20login.&error=login_required`. | Return HTTP 400 Bad Request and redirect to a page that displays a message such as `Login required. The request requires login.` |

The RP's `<iframe>` and the `redirect_uri` page must process any errors; for example, by redirecting the end user to sign in.

### Configure the provider and client

To enable this method for a realm, configure the OAuth 2.0 provider:

1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Services > OAuth2 Provider.

2. Switch to the Advanced tab and add `none|org.forgerock.oauth2.core.NoneResponseTypeHandler` to the Response Type Plugins settings.

3. Save your changes.

To enable this method in the RP client profile:

1. In the Advanced Identity Cloud admin console, go to Applications > *Client ID* > Sign On > General Settings > Show advanced settings.

2. In Access > Response Types, add `none`.

3. Save your changes.

## Using the `checkSession` and `endSession` endpoints

This method uses the following endpoints for session management:

* [/oauth2/connect/checkSession](rest-api-oidc-checksession-endpoint.html)

  Retrieve session state.

  This endpoint serves as the `check_session_iframe` URL.

* [/oauth2/connect/endSession](rest-api-oidc-endsession-endpoint.html)

  Terminate an authenticated session and redirect to a post-logout page.

### Configure the client

This method is enabled by default in the OAuth 2.0 provider. You only need to configure the client profile for the RP to use it:

1. In the Advanced Identity Cloud admin console, go to Applications > *Client ID* > Sign On > General Settings > Show advanced settings.

2. In Session Management > Client Session URI, add the URL the RP uses as the `<iframe src>` URL.

3. Save your work.

## Disable session management

To disable OIDC-based session management support for a realm, configure the OAuth 2.0 provider:

1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Services > OAuth2 Provider > Advanced OpenID Connect.

2. Clear Enable Session Management.

3. Save your changes.

This also disables [backchannel logout](backchannel-logout.html).