2019-04-22 08:38:41 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[security-api-oidc-logout]]
|
|
|
|
|
|
|
|
=== OpenID Connect Logout API
|
|
|
|
|
|
|
|
Submits a request to invalidate a refresh token and an access token that was generated as a response to a call to
|
|
|
|
`/_security/oidc/authenticate`. If the OpenID Connect authentication realm in {es} is accordingly configured, the
|
|
|
|
response to this call will contain a URI pointing to the End Session Endpoint of the OpenID Connect Provider in
|
|
|
|
order to perform Single Logout
|
|
|
|
|
|
|
|
{es} exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs
|
|
|
|
are used internally by {kib} in order to provide OpenID Connect based authentication, but can also be used by other,
|
|
|
|
custom web applications or other clients. See also <<security-api-oidc-authenticate,OpenID Connect Authenticate API>>
|
|
|
|
and <<security-api-oidc-prepare-authentication,OpenID Connect Prepare Authentication API>>
|
|
|
|
|
|
|
|
==== Request
|
|
|
|
|
|
|
|
`POST /_security/oidc/logout`
|
|
|
|
|
|
|
|
==== Request Body
|
|
|
|
|
|
|
|
`access_token`::
|
|
|
|
The value of the access token to be invalidated as part of the logout.
|
|
|
|
|
|
|
|
`refresh_token`::
|
|
|
|
The value of the refresh token to be invalidated as part of the logout. (Optional)
|
|
|
|
|
|
|
|
|
|
|
|
==== Examples
|
|
|
|
|
|
|
|
The following example performs logout
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
POST /_security/oidc/logout
|
|
|
|
{
|
|
|
|
"token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
|
|
|
|
"refresh_token": "vLBPvmAB6KvwvJZr27cS"
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
|
|
|
// CONSOLE
|
2019-06-04 07:08:41 -04:00
|
|
|
// TEST[catch:unauthorized]
|
2019-04-22 08:38:41 -04:00
|
|
|
|
|
|
|
The following example output of the response contains the URI pointing to the End Session Endpoint of the
|
|
|
|
OpenID Connect Provider with all the parameters of the Logout Request, as HTTP GET parameters
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
{
|
|
|
|
"redirect" : "https://op-provider.org/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&post_logout_redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%2Floggedout&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO"
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
|
|
|
// NOTCONSOLE
|