The End Session endpoint

The End Session endpoint can be used to trigger a single sign-out via the web browser. See the specification for more details.

The End Session endpoint is available at the path /connect/endsession relative to the authority. For instance, the End Session endpoint in the test environment will look like this:

https://helseid-sts.test.nhn.no/connect/endsession

To use the End Session endpoint, a Client application can redirect the user’s browser to the end session URL. Any applications that the user has logged into by use of the browser (during the user’s session), can participate in the sign-out.

Requests to the End User endpoint

The request to the End User endpoint is done by redirecting the user to it via the web browser:

GET https://helseid-sts.nhn.no/connect/endsession?id_token_hint=...&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A7017%2Findex.html

The following parameters can be used:

  • id_token_hint: This parameter is used in order to not let a loggged-in user make use of the "Sign out"-button; when the user is redirected to the End Session endpoint, they will get a web page with a "Sign out"-button. Use of the ìd_token_hint parameter will bypass this page. If used, this value must contain the original ID Token related to the user.
  • post_logout_redirect_uri: When a id_token_hint is passed in the request, the client may also send this parameter, the use of which is to allow the user to redirect back to the client after sign-out. The value must match one of the client’s pre-configured "Post logout redirect URI" as configured in HelseID Selvbetjening.
  • state: When post_logout_redirect_uri is passed in the request, then the client may also send this parameter. The value will be returned back to the client as a query string parameter after the user redirects back to the client. This is typically used by clients to round-trip state across the redirect.