Help with /logout endpoint

I am now struggling a bit to get the /logout endpoint to work as expected.

The logout endpoint is complaining that I am not providing the client_id, but I have provided the correct value.

{“errorCode”:“invalid_client”,“errorSummary”:“A client_id must be provided in the request.”,“errorLink”:“invalid_client”,“errorId”:“oaeN30gUpZASJqFKxk-dPV9pA”,“errorCauses”:

The URI for the logon endpoint takes the form: (dummied up some of the values)
logout_url=https://connect.oktapreview.com/oauth2/v1/logout?client_id=99999&client_secret=88888&post_logout_redirect_uri=http%3A%2F%2Ftst5-ext.wei-pipeline.com&id_token_hint=777777&state=f16b6082b2

I’m not sure whether this is the cause of the error message, but you should definitely not be including the client secret in the URL! If you do that, it’s not exactly secret anymore is it :wink:

Good point! (it was a desperate attempt to get this working…same result without the secret)

I’m also not clear on the syntax of what you typed there. logout_url=https://connect.oktapreview.com..

What exactly is logout_url= doing there? If you’re trying to define a variable in some code somewhere it’s possible that you’re not escaping the actual logout URL properly so it isn’t seeing the query string parameters you’ve defined.

For example,

https://connect.oktapreview.com/oauth2/v1/logout?client_id=99999 is fine, but

https://example.com/?logout_url=https://connect.oktapreview.com/oauth2/v1/logout?client_id=99999 isn’t a valid URL since you would need to escape the second ? in that string.

It’s just how I dumped the value in our php errors logfile. The variable $logout_url is used to redirect the users browser to the link constructed. So ignore the logout_url= part.

I went and looked up the docs for the logout URL here: OpenID Connect & OAuth 2.0 API | Okta Developer

Two things:

  • Double check that you’re using the correct logout endpoint. For example the org authorization server is the one you’re using, but if you have the custom authorization server it would be something like https://xxxxx.okta.com/oauth2/default/v1/logout instead.
  • The client_id is not a documented parameter in that request. The request works when I provide a valid ID token, but fails with that error message if I give it an invalid ID token.

If you’re using the wrong logout URL, the ID token would look invalid also, which would cause that error. I have no idea why it reports the error as a missing client_id though. I will open up an investigation internally on that.

We are using the org authorization server only. We are only using Okta to authenticate our users.

I am using the /introspect end point to validate the access token.

The error message about the client_id parameter being required is returned when you don’t provide the client_id. When I provide the client_id, I still get the same error.

Yes, double check that the ID token you’re providing is valid. When I try this on my server I get that error message if I provide an invalid ID token (presumably because it’s not able to find the client_id from the ID token.) This is a misleading error message for sure, but I’m pretty sure your problem is that the ID token provided is not valid.

I was using the access_token, once I switched to the id_token, the error went away!

However, I don’t seem to be understanding what the /logout endpoint does. If I use the /introspect end point for validation, both the access_token and id_token are still ‘active’.

The logout endpoint removes the Okta session from the user’s browser. From the docs linked above:

Use this operation to log a user out by removing their Okta browser session.

This endpoint takes an ID token and logs the user out of Okta if the subject matches the current Okta session.

If you want to revoke a particular access token, use the revoke endpoint: OpenID Connect & OAuth 2.0 API | Okta Developer

But note that the access token JWT will still appear valid, since there is no way to modify the token itself. It will only be reported as revoked when the introspection endpoint is queried. It’s up to your resource server to query the revocation endpoint if it cares about checking whether the token is revoked.

1 Like