OpenID Connect logout API

edit

Submits a request to invalidate a refresh token and an access token that was generated as a response to a call to /_security/oidc/authenticate.

Request

edit

POST /_security/oidc/logout

Description

edit

If the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the End Session Endpoint of the OpenID Connect Provider in order to perform Single Logout.

Elasticsearch exposes all the necessary OpenID Connect related functionality via the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients. See also OpenID Connect authenticate API and OpenID Connect prepare authentication API.

Request body

edit
access_token
(Required, string) The value of the access token to be invalidated as part of the logout.
refresh_token
(Optional, string) The value of the refresh token to be invalidated as part of the logout.

Examples

edit

The following example performs logout

resp = client.perform_request(
    "POST",
    "/_security/oidc/logout",
    headers={"Content-Type": "application/json"},
    body={
        "token": "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
        "refresh_token": "vLBPvmAB6KvwvJZr27cS"
    },
)
print(resp)
const response = await client.transport.request({
  method: "POST",
  path: "/_security/oidc/logout",
  body: {
    token:
      "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
    refresh_token: "vLBPvmAB6KvwvJZr27cS",
  },
});
console.log(response);
POST /_security/oidc/logout
{
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}

The following example output of the response contains the URI pointing to the End Session Endpoint of the OpenID Connect Provider with all the parameters of the Logout Request, as HTTP GET parameters:

{
  "redirect" : "https://op-provider.org/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&post_logout_redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%2Floggedout&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO"
}