Can't log out users

Hi,
I am researching the feasibility of moving our authentication to Okta.

Since our existing backend server is written in python (flask), I followed this guide to get familiar with the flask-okta integration:

The tutorial is very helpful, but the logout doesn’t work as expected. Even after clicking on the “logout” button, one can hit the /dashboard endpoint and immediately get auto-verified as long as user is logged in to okta.

I did some looking around and I found this thread:

it seems like they were having the exact same issue that I’m facing, however unlike the resolution on that thread, I’m still unable to successfully logout users from okta.

I’m follwoing the API reference as outlined by OpenID Connect & OAuth 2.0 API | Okta Developer

I have this logout endpoint in the flask server:

@app.route("/auth/logout/")
@oidc.require_login
def logout():
    info = oidc.user_getinfo(['preferred_username', 'email', 'sub'])
    from oauth2client.client import OAuth2Credentials
    id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get('sub')]).token_response['id_token']
    logout_request = 'https://dev-2210127.okta.com/logout?id_token_hint={}'.format(id_token)
    oidc.logout()
    return redirect(logout_request)

when the user is logged in, I am able to successfully obtain the id_token, but when I end up redirecting to
the endpoint, I get 404 errors and the user doesn’t get logged out.

please note I have tried to GET https://dev-2210127.okta.com/logout?id_token_hint={TOKEN}
as well as https://dev-2210127.okta.com/v1/logout?id_token_hint={TOKEN} since the documentation is not very clear if the /v1 is necessary.

both redirects take me to the okta subdomain, but they both return 401 presumably because they can’t find logged in user with the token. any help is appreciated

Thanks

Hi @dantheman,

I think you should use the following URL - https://dev-2210127.okta.com/oauth2/default/v1/logout?id_token_hint={TOKEN}
This is because the issuer URL used in the flask example is {{ OKTA_ORG_URL }}/oauth2/default and you’ll have to use the same auth server to make the logout call.

Try this and let us know if it works.

1 Like

hi @vijet
Thank you for your response. Actually that was very helpful! I can reach the endpoint. but now I am getting 400 status code back because it is saying “The id token is invalid”.

I wonder if the smoking gun is
id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get(‘sub’)]).token_response[‘id_token’]

I’ve inspected the token_response object in the debugger and there is an id_token and an access_token neither of which allow me to logout the user.

Hi @dantheman,

Looking at other threads where this error was received, it looks like if the id_token is not attached to the URL, you generally see this error.
See this for example - https://github.com/vouch/vouch-proxy/issues/40#issuecomment-496728692

Can you see the network request made in the browser when you get this error to confirm id_token is being passed in the URL?
Or try to call the /logout endpoint manually using postman or something to see if you still get the same error?

Here is what I just got working.
Python

@application.route("/logout", methods=["POST"])
@oidc.require_login
def logout():
    info = oidc.user_getinfo(["preferred_username", "email", "sub"])
    raw_id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get("sub")]).token_response["id_token"]
    id_token = str(raw_id_token)
    logout_request = "https://dev-000000.okta.com/oauth2/default/v1/logout?id_token_hint={id_token}&post_logout_redirect_uri=http://google.com/".format(id_token=id_token)
    oidc.logout()
    return redirect(logout_request)

In my Okta app General Settings I set the Logout redirect URIs to google.com

Make sure you are logged out of Okta and also make sure to clear any stale cookies set before you got it fully working.

Hope this helps,
Casey

2 Likes

@vijet @csiens
thank you both! it is working now.
My final issue was not having the default/ in the URL.
now everything is working as expected.

Best
Dan

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.