mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-12 07:55:24 +00:00
2bee27dd54
This commit allows the Transport Actions for the SSO realms to indicate the realm that should be used to authenticate the constructed AuthenticationToken. This is useful in the case that many authentication realms of the same type have been configured and where the caller of the API(Kibana or a custom web app) already know which realm should be used so there is no need to iterate all the realms of the same type. The realm parameter is added in the relevant REST APIs as optional so as not to introduce any breaking change.
64 lines
2.4 KiB
Plaintext
64 lines
2.4 KiB
Plaintext
[role="xpack"]
|
|
[[security-api-oidc-logout]]
|
|
=== OpenID Connect logout API
|
|
|
|
Submits a request to invalidate a refresh token and an access token that was
|
|
generated as a response to a call to `/_security/oidc/authenticate`.
|
|
|
|
[[security-api-oidc-logout-request]]
|
|
==== {api-request-title}
|
|
|
|
`POST /_security/oidc/logout`
|
|
|
|
[[security-api-oidc-logout-desc]]
|
|
==== {api-description-title}
|
|
|
|
If the OpenID Connect authentication realm in {es} is accordingly configured,
|
|
the response to this call will contain a URI pointing to the End Session
|
|
Endpoint of the OpenID Connect Provider in order to perform Single Logout.
|
|
|
|
{es} exposes all the necessary OpenID Connect related functionality via the
|
|
OpenID Connect APIs. These APIs are used internally by {kib} in order to provide
|
|
OpenID Connect based authentication, but can also be used by other, custom web
|
|
applications or other clients. See also
|
|
<<security-api-oidc-authenticate,OpenID Connect authenticate API>>
|
|
and
|
|
<<security-api-oidc-prepare-authentication,OpenID Connect prepare authentication API>>.
|
|
|
|
[[security-api-oidc-logout-request-body]]
|
|
==== {api-request-body-title}
|
|
|
|
`access_token`::
|
|
(Required, string) The value of the access token to be invalidated as part of the logout.
|
|
|
|
`refresh_token`::
|
|
(Optional, string) The value of the refresh token to be invalidated as part of the logout.
|
|
|
|
|
|
[[security-api-oidc-logout-example]]
|
|
==== {api-examples-title}
|
|
|
|
The following example performs logout
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
POST /_security/oidc/logout
|
|
{
|
|
"token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
|
|
"refresh_token": "vLBPvmAB6KvwvJZr27cS"
|
|
}
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
// TEST[catch:unauthorized]
|
|
|
|
The following example output of the response contains the URI pointing to the
|
|
End Session Endpoint of the OpenID Connect Provider with all the parameters of
|
|
the Logout Request, as HTTP GET parameters:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"redirect" : "https://op-provider.org/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&post_logout_redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%2Floggedout&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO"
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE |