Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: f5f85f4e7b
Branches Tags
elasticsearch
/
x-pack
/
docs
/
en
/
rest-api
/
security
/
oidc-logout-api.asciidoc

oidc-logout-api.asciidoc 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. [role="xpack"]
    2. 

  2. [[security-api-oidc-logout]]
    3. 

  3. === OpenID Connect logout API
    4. 

  4. 

  5. Submits a request to invalidate a refresh token and an access token that was
    6. 

  6. generated as a response to a call to `/_security/oidc/authenticate`. 
    7. 

  7. 

  8. [[security-api-oidc-logout-request]]
    9. 

  9. ==== {api-request-title}
    10. 

  10. 

  11. `POST /_security/oidc/logout`
    12. 

  12. 

  13. [[security-api-oidc-logout-desc]]
    14. 

  14. ==== {api-description-title}
    15. 

  15. 

  16. If the OpenID Connect authentication realm in {es} is accordingly configured,
    17. 

  17. the response to this call will contain a URI pointing to the End Session
    18. 

  18. Endpoint of the OpenID Connect Provider in order to perform Single Logout.
    19. 

  19. 

  20. {es} exposes all the necessary OpenID Connect related functionality via the
    21. 

  21. OpenID Connect APIs. These APIs are used internally by {kib} in order to provide
    22. 

  22. OpenID Connect based authentication, but can also be used by other, custom web
    23. 

  23. applications or other clients. See also
    24. 

  24. <<security-api-oidc-authenticate,OpenID Connect authenticate API>>
    25. 

  25. and
    26. 

  26. <<security-api-oidc-prepare-authentication,OpenID Connect prepare authentication API>>.
    27. 

  27. 

  28. [[security-api-oidc-logout-request-body]]
    29. 

  29. ==== {api-request-body-title}
    30. 

  30. 

  31. `access_token`::
    32. 

  32. The value of the access token to be invalidated as part of the logout.
    33. 

  33. 

  34. `refresh_token`::
    35. 

  35. (Optional) The value of the refresh token to be invalidated as part of the logout.
    36. 

  36. 

  37. 

  38. [[security-api-oidc-logout-example]]
    39. 

  39. ==== {api-examples-title}
    40. 

  40. 

  41. The following example performs logout
    42. 

  42. 

  43. [source,js]
    44. 

  44. --------------------------------------------------
    45. 

  45. POST /_security/oidc/logout
    46. 

  46. {
    47. 

  47.   "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
    48. 

  48.   "refresh_token": "vLBPvmAB6KvwvJZr27cS"
    49. 

  49. }
    50. 

  50. --------------------------------------------------
    51. 

  51. // CONSOLE
    52. 

  52. // TEST[catch:unauthorized]
    53. 

  53. 

  54. The following example output of the response contains the URI pointing to the
    55. 

  55. End Session Endpoint of the OpenID Connect Provider with all the parameters of
    56. 

  56. the Logout Request, as HTTP GET parameters:
    57. 

  57. 

  58. [source,js]
    59. 

  59. --------------------------------------------------
    60. 

  60. {
    61. 

  61.   "redirect" : "https://op-provider.org/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&post_logout_redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%2Floggedout&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO"
    62. 

  62. }
    63. 

  63. --------------------------------------------------
    64. 

  64. // NOTCONSOLE
    65.