Janssen Server provides session revocation endpoint to enable the client to revoke all sessions of a users. Though not being part of any industry standard/specification, Janssen Server provides this endpoint to allow greater control and better management of sessions on OP.
URL to access revocation endpoint on Janssen Server is listed in the response of Janssen Server's well-known configuration endpoint given below.
session_revocation_endpoint claim in the response specifies the URL for revocation endpoint. By default, revocation endpoint
looks like below:
More information about request and response of the revocation endpoint can be found in the OpenAPI specification of jans-auth-server module.
A request to this endpoint can revoke all sessions of one particular user. Use the request parameters to specify criteria to select the user. If there are multiple users matching the given criteria, the first found user will be affected.
Disabling The Endpoint Using Feature Flag#
Session revocation endpoint can be enabled or disable using REVOKE_SESSION feature flag.
Use Janssen Text-based UI(TUI) or Janssen command-line interface to perform this task.
When using TUI, navigate via
enabledFeatureFlags to screen below. From here, enable or
REVOKE_SESSION flag as required.
A client must have the following scope in order to use this endpoint: