Question about endsession endpoint

[rhinmass]

I don't understand what the endsession endpoint actually does. All of my tokens still work. I presume I need to revoke the tokens in a separate call. Which leads me to ask why call endsession at all?

[jansinger]

The current user is logged out of the current authenticated session and therefore he is forced to authenticate again if a client tries to obtain a new access token with the authorization code flow. The endpoint is part of the OpenID Connect Session Management specifications.

[jricher]

@jansinger is correct. This does not revoke access tokens. For that, use the token revocation endpoint.

[rhinmass]

I'm not getting redirected back. I'm setting post_logout_redirect_uri and id_token_hint , yet after the logout it stays at the server logout page.

Request URL: http://myopenidserver.com/auth/endsession?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A18080%2Fopenid-demo-client%2F&id_token_hint=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIyIiwiYXVkIjoiY2xpZW50Iiwia2lkIjoicnNhMSIsImlzcyI6Imh0dHA6XC9cL3d3dy5jYXJlbG9jYWwuY29tXC9hdXRoXC8iLCJleHAiOjE1NTMxOTk4NjEsImlhdCI6MTU1MzE5OTI2MSwibm9uY2UiOiIxZmJiMmZmOTI1NjdkIiwianRpIjoiOTc3YTU3ZWQtZmNmZC00NDEzLTkxY2UtMThjNWU4NjRmNTIzIn0.nClnmu62i--4fI9GtwfCJFtZwRx8VN5Pnl7JClm9bjx-4XaO0nqHJ6mKCYvfrM22yYmxyZ4qoyIutHmFJGFbyi2mxt9t8mWObFo4em3wbPhzljwOOU_w9VfhrMepyRB8-Koy4hkmwU14i5iuEO1cNdoE8tjhjpZ35dGOaQb12CWU7BjLFk0RUJrn90xrZQ4IqoIDyKXJJDTxD4iWOqVKEFJpXcmb3dme2QIFQ2VRUbMBpOGhsYlzo-7P4PV8XBS-5krKkFXmw7sq2rcvfBp3uMT7Nt2yGS9Nt39Q74oRVNsbp1fW1IZ70RP9MQtB9BbtB9BfBO7LJOt0maiL9hmhKQ

Have also tried it without url encoding the post_redirect_logout_uri