Skip to main content

Authentication

  • Customer

Accor Login manages the OpenID Connect flow and token lifecycle, simplifying your integration with Accor APIs.

Version
Status
Live
Incident
No incident

LOG OUT

 

There are 2 methods for log out :

 

It's also recommended after log out to revoke the refresh token.

 

 

REVOKE A SESSION

This process is used to invalidate a session with an API call.
This service redirect to the https://login.accor.com/pf-ws/rest/sessionMgmt/revokedSris endpoint.

Request:

Type Endpoint
POST https://login.accor.com/pf-ws/rest/sessionMgmt/revokedSris

Header :

Headers

Value

Required

Content-Type application/json Yes
Authorization* The value of this field should always be: Basic {authorization} Yes
X-XSRF-HEADER "PingFederate" Yes

*authorization = Base64Encode(client_id:client_secretKey) or use standard tools to generate it (login=client_id, password=client_secretKey)

Payload:

Name

Value

Required

id pi.sri stored in the id_token parameter given at the first authentication (not send when using refresh) Yes

 

A successful revoke returns a http 201.

Example of Request:

POST https://rec-login.accor.com/pf-ws/rest/sessionMgmt/revokedSris
Authorization:"Basic ***********************************"
Content-Type:"application/json"
X-XSRF-HEADER:"PingFederate"
{"id":"l_CxkWR49DCxXb660NIIk8lclek.ZXUtY2VudHJhbC0x.E9Gf"}

 

 

CLOSE SESSIONS

The log out process is used to invalidate an active session.
 After users log out, you can redirect users to a specific URL.
 

Request:

Type Endpoint
GET https://login.accor.com/idp/startSLO.ping

 

Parameters:

Name

Value

Required

TargetResource The URI your users are sent back to after logout. No
InErrorResource Indicates where the user is redirected after an unsuccessful logout. If this parameter is not included in the request, the user will be redirected to the logout error landing page hosted by Accor Login. No

 

Example of request:

GET https://login.accor.com/idp/startSLO.ping?TargetResource=https://youdomain/callback_logout

 

REVOKE A REFRESH_TOKEN

 

This process is used to invalidate a refresh token.

 

Request:

Type Endpoint
POST https://login.accor.com/as/revoke_token.oauth2

Header :

Headers

Value

Required

Content-Type application/x-www-form-urlencoded Yes
Authorization     The value of this field should always be: Basic {authorization} Yes

Payload:

Name

Value

Required

token The refresh_token to revoke Yes
token_type_hint value: "refresh_token" Yes

A successful revoke returns a http 200.

About us

We are far more than a worldwide leader. We are 300,000 hospitality experts placing people at the heart of what we do, and nurturing real passion for service and achievement beyond limits. We take care of millions of guests in our 5,000 addresses.