Invoking the logout endpoint for OpenID Connect

A client uses the logout endpoint to clear the provider-side session and cookies for a web browser.

Before you begin

Invoking the logout endpoint is not sufficient to completely clear a single-sign-on browser session. Tokens that are held by the provider are not cleared.
To completely clear a single-sign-on browser session, ensure that a protected application accomplishes the following tasks:
  1. Calls the HttpServletRequest.logout() method
  2. Redirects the browser to the logout endpoint

About this task

The logout endpoint accepts a GET request with no parameters and clears the provider-side session and cookies, if present.

Procedure

In a web browser, access the URL for the OpenID Connect logout endpoint.

The URL is https://server.example.com:443/oidc/endpoint/<provider_name>/logout.

A Liberty server with OpenID Connect enabled has access to the OpenID Connect logout endpoint at this URL.

Results

  • Provider-issued cookies are removed, if present.
  • A default logout page is displayed, or the browser is redirected to a custom logout page.
  • If an exception occurs, a default exception page is displayed instead.