How to implement Logout of AM from a OAuth2 Client

I have a Spring Boot application which is configured as an OAuth2 Client in ForgeRock AM. The application is protected in Spring Boot and delegates authentication to Forgerock AM on accessing the protected URL’s. The application using the OAuth2 Authorisation Grant Flow.

In my Spring boot application I have implemented Logout which clears down the session context in Spring Boot.

How can I issue a request to ForgeRock AM to logout to destroy the session that is created and the cookie from my spring logout?

Hi riponman and thanks for your post,

AM Logout APIs are listed here:
https://backstage.forgerock.com/docs/am/7.2/authentication-guide/authn-rest.html

If you want to invalidate the Access Token, or a Refresh Token, check those APIs too:
https://backstage.forgerock.com/docs/am/7.2/oauth2-guide/varlist-oauth2-token-revoke-endpoint.html

With Regards

1 Like

Hi gery.ducatel

Thanks for your quick response - I would need to destroy the tokens issued by AM and also logout of AM itself. Revoking the tokens I can post to the endpoint /oauth2/realms/root/realms/global/token/revoke.
Can this be a server side call or does this need to be done by the client which is the browser?

For logging out of AM I would need access to the FR AM iPlanetPRO cookie as per the rest API -
The applications are in different cookie domains - my OAuth2 application will not be able to make the rest call as we cannot access the FR AM cookie.
To logout of the AM can I invoke the AM Logout URL endpoint /am/XUI/#logout via HTTP Get Request from the client?

Hi,

You should be able to use the following API but it is an OIDC flow, therefore, you must use an openid scope request and use the ID token in the API call:

https://backstage.forgerock.com/docs/am/7.2/oidc1-guide/rest-api-oidc-endsession-endpoint.html

With regards

1 Like