2019-04-22 08:38:41 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[security-api-oidc-logout]]
|
2019-08-02 13:56:05 -04:00
|
|
|
=== OpenID Connect logout API
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
Submits a request to invalidate a refresh token and an access token that was
|
|
|
|
generated as a response to a call to `/_security/oidc/authenticate`.
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-oidc-logout-request]]
|
|
|
|
==== {api-request-title}
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
`POST /_security/oidc/logout`
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-oidc-logout-desc]]
|
|
|
|
==== {api-description-title}
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
If the OpenID Connect authentication realm in {es} is accordingly configured,
|
|
|
|
the response to this call will contain a URI pointing to the End Session
|
|
|
|
Endpoint of the OpenID Connect Provider in order to perform Single Logout.
|
|
|
|
|
|
|
|
{es} exposes all the necessary OpenID Connect related functionality via the
|
|
|
|
OpenID Connect APIs. These APIs are used internally by {kib} in order to provide
|
|
|
|
OpenID Connect based authentication, but can also be used by other, custom web
|
|
|
|
applications or other clients. See also
|
|
|
|
<<security-api-oidc-authenticate,OpenID Connect authenticate API>>
|
|
|
|
and
|
|
|
|
<<security-api-oidc-prepare-authentication,OpenID Connect prepare authentication API>>.
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-oidc-logout-request-body]]
|
|
|
|
==== {api-request-body-title}
|
2019-04-22 08:38:41 -04:00
|
|
|
|
|
|
|
`access_token`::
|
2019-08-25 12:36:41 -04:00
|
|
|
(Required, string) The value of the access token to be invalidated as part of the logout.
|
2019-04-22 08:38:41 -04:00
|
|
|
|
|
|
|
`refresh_token`::
|
2019-08-25 12:36:41 -04:00
|
|
|
(Optional, string) The value of the refresh token to be invalidated as part of the logout.
|
2019-04-22 08:38:41 -04:00
|
|
|
|
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-oidc-logout-example]]
|
|
|
|
==== {api-examples-title}
|
2019-04-22 08:38:41 -04:00
|
|
|
|
|
|
|
The following example performs logout
|
|
|
|
|
2019-09-05 14:12:39 -04:00
|
|
|
[source,console]
|
2019-04-22 08:38:41 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
POST /_security/oidc/logout
|
|
|
|
{
|
|
|
|
"token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
|
|
|
|
"refresh_token": "vLBPvmAB6KvwvJZr27cS"
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2019-06-04 07:08:41 -04:00
|
|
|
// TEST[catch:unauthorized]
|
2019-04-22 08:38:41 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
The following example output of the response contains the URI pointing to the
|
|
|
|
End Session Endpoint of the OpenID Connect Provider with all the parameters of
|
|
|
|
the Logout Request, as HTTP GET parameters:
|
2019-04-22 08:38:41 -04:00
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
{
|
|
|
|
"redirect" : "https://op-provider.org/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&post_logout_redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%2Floggedout&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO"
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
|
|
|
// NOTCONSOLE
|