I changed how logout works. It bothered me that there was no authentication and that anybody could just push any guessed session_id to /logout. So, it is now split up into to forms of Logout: * GET /realms/{realm}/tokens/logout?redirect_uri={} I removed the session_state parameter. This is a browser-based logout and requires the user to be logged in. I still need to verify that the redirect_uri is a valid URI. * POST /realms/{realm}/tokens/logout Same form parameters and authentication required as a refresh token request. A valid refresh token is required to be able to logout the session. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com