LOG OUT
There are 2 methods for log out :
- API Call (recommended): https://login.accor.com/pf-ws/rest/sessionMgmt/revokedSris
- URL Call: https://login.accor.com/idp/startSLO.ping
It's also recommended after log out to revoke the refresh token.
REVOKE A SESSION
This process is used to invalidate a session with an API call.
This service redirect to the https://login.accor.com/pf-ws/rest/sessionMgmt/revokedSris endpoint.
Request:
| Type | Endpoint |
|---|---|
| POST | https://login.accor.com/pf-ws/rest/sessionMgmt/revokedSris |
Header :
|
Headers |
Value |
Required |
|---|---|---|
| Content-Type | application/json | Yes |
| Authorization* | The value of this field should always be: Basic {authorization} | Yes |
| X-XSRF-HEADER | "PingFederate" | Yes |
*authorization = Base64Encode(client_id:client_secretKey) or use standard tools to generate it (login=client_id, password=client_secretKey)
Payload:
|
Name |
Value |
Required |
|---|---|---|
| id | pi.sri stored in the id_token parameter given at the first authentication (not send when using refresh) | Yes |
A successful revoke returns a http 201.
Example of Request:
POST https://rec-login.accor.com/pf-ws/rest/sessionMgmt/revokedSris
Authorization:"Basic ***********************************"
Content-Type:"application/json"
X-XSRF-HEADER:"PingFederate"
{"id":"l_CxkWR49DCxXb660NIIk8lclek.ZXUtY2VudHJhbC0x.E9Gf"}
CLOSE SESSIONS
The log out process is used to invalidate an active session.
After users log out, you can redirect users to a specific URL.
Request:
| Type | Endpoint |
|---|---|
| GET | https://login.accor.com/idp/startSLO.ping |
Parameters:
|
Name |
Value |
Required |
|---|---|---|
| TargetResource | The URI your users are sent back to after logout. | No |
| InErrorResource | Indicates where the user is redirected after an unsuccessful logout. If this parameter is not included in the request, the user will be redirected to the logout error landing page hosted by Accor Login. | No |
Example of request:
GET https://login.accor.com/idp/startSLO.ping?TargetResource=https://youdomain/callback_logout
REVOKE A REFRESH_TOKEN
This process is used to invalidate a refresh token.
Request:
| Type | Endpoint |
|---|---|
| POST | https://login.accor.com/as/revoke_token.oauth2 |
Header :
|
Headers |
Value |
Required |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Yes |
| Authorization | The value of this field should always be: Basic {authorization} | Yes |
Payload:
|
Name |
Value |
Required |
|---|---|---|
| token | The refresh_token to revoke | Yes |
| token_type_hint | value: "refresh_token" | Yes |
A successful revoke returns a http 200.