Good day.
Facing the strange issue, that I can’t resolve without help.
Am building authorization module for some old NodeJS application. For some reasons I have to use passport & passport-openidconnect npm modules.
This is passport config, it works as expected
passport.use('oidc', new OidcStrategy({
issuer: issuer,
authorizationURL: AUTHORIZATION_SERVICE + '/oauth2/default/v1/authorize',
tokenURL: AUTHORIZATION_SERVICE + '/oauth2/default/v1/token',
userInfoURL: AUTHORIZATION_SERVICE + '/oauth2/default/v1/userinfo',
clientID: CLIENT_ID,
clientSecret: CLIENT_SECRET,
callbackURL: BASE_URL + ON_SIGN_IN,
appBaseUrl: BASE_URL,
scope: DEFAULT_SCOPE
}, (issuer, sub, profile, accessToken, refreshToken, done) => done(null, profile)));
Ok, login process works fine, user is stored in passport session, application works as expected.
But when am trying to logout with this express middleware
const _clearSession = (req, res) => {
req.logout();
req.session.destroy();
res.redirect(LOGIN_ROUTE);
};
despite the session is destroyed, user remains still logged in Okta account somehow, so instead of going to the Okta login form user immediately sees the default page as the authorized user.
Also tried to logout with /revoke enpoint:
https://{myOktaAppUrl}/oauth2/v1/revoke
with params token hint, token, client id, client secret.
But it failed with error that “invalid_client”.
Could someone help me to solve this issue?
Thanks in advance