Closed rhinmass closed 5 years ago
The current user is logged out of the current authenticated session and therefore he is forced to authenticate again if a client tries to obtain a new access token with the authorization code flow. The endpoint is part of the OpenID Connect Session Management specifications.
@jansinger is correct. This does not revoke access tokens. For that, use the token revocation endpoint.
I'm not getting redirected back. I'm setting post_logout_redirect_uri and id_token_hint , yet after the logout it stays at the server logout page.
Have also tried it without url encoding the post_redirect_logout_uri
I don't understand what the endsession endpoint actually does. All of my tokens still work. I presume I need to revoke the tokens in a separate call. Which leads me to ask why call endsession at all?