How to logout for OKTA OIDC application hosted behind AWS ALB

Hi,

We need your advice for implementing OKTA /logut functionality for our use case. I have gone through posted messages on Okta dev Forum and found below thread the most useful but we need more than what is suggested as solution there.
‘[OIDC] Logout without having the original Id Token?’

A little bit of a background for our application:

We have used OKTA to implement authentication via OIDC for our AWS Serverless application (written in goLang) which is behind AWS Application Load Balancer. UI is a separate application (Angular) and hosted in the publicly available AWS CloudFront.

to manage user state, we maintain two cookies, frontend & backend!

• When user hits the UI application URL, it checks for frontEnd session cookie and if not found, it redirects the request to the backend (hosted behind AWS ALB) for OIDC authentication.
• On successful Authentication from OKTA, ALB does token exchange and sets frontend session cookie on the UI domain and keeps AWSELBSessionCookie for active session management at the backend. Everything seems work fine except logout functionality!

We do not have any separate application login page and consider organisation’s okta login page as a common login page. There are many other applications in our organization those also use OKTA Authentication flow. On logout event from our application, we want the user to be logged out only from our application and all other applications’ okta sessions should remain active.

The problem:

• AWS ALB does not pass ID token to the backend applicaiton (it only passes x-amzn-oidc-accesstoken & x-amzn-oidc-data). As we do not have ID Token, we are not able to redirect user to https://<okta org url>/oauth2/default/v1/logout? id_token_hint =<id token> which should have resolved our problem, I think!
• It seems '@okta/okta-auth-js’ library provides logout functionality, but currently our UI is not aware of OKTA and we do not want to use it on publically available AWS CloudFront.
• We have also tried https://<okta org url>/login/signout, but unfortunately it signs out of all okta applications which is not desirable in our case.

It seems closest way to get the ID Token is to use the /token post request, but I am not sure if that will work as ALB may filter ID Token again!

curl -v -X POST \
-H "Content-type:application/x-www-form-urlencoded" \
"https://${yourOktaDomain}/oauth2/default/v1/token" \
-d "client_id={client_id}&client_secret={client_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}&code={code}”

Would you please suggest what we should do to achieve application specific logout only!

@domdabbu Can you pls check if this workaround on stackoverflow can help?

Thank you very much @Lijia for your reply!

Unfortunately https://< org >.okta.com/login/signout?fromURI=http://< trusted hostname of your app > does not completely work for our use case!

It signs out from all okta active application sessions. i.e. suppose user is using our application and he has also logged-in into company ESS application (which also uses okta) in other browser tab. Now if the user logs out of our application using /login/signout?fromURI=… flow of our application and refreshes the company ESS site in the other tab, then ESS site also redirectes the user to okta login page which should not be the case.

The other drawback of /login/signout?fromURI=… approach is, it does not have any impact of fromURI=< our authenticated app ur >. As after login, it goes to < org okta home page > and not < our application home page >.!

Thanks,
@domdabbu

Facing the same issue did you find any work around for this?

Hey @harsha ,

As a workaround we are thinking to develop our custom login page which would be managed by frontend-session-cookie value. In short, we’ll show/redirect user to the login page (once the logout event is triggered) based on the frontend-session-cookie value. We’ll not kill Okta application session.!

User still will feel a new login attempt. If user clears the browser cache, our actual flow will bring user okta login page!

Hope this helps!

Thanks
@domdabbu

Hi - Can you please help how to get the user claims from x-amzn-oidc-accesstoken, our app is .net core and behind AWS ALB OKAT OIDC we were able to authenticate but somehow we are not able to get the token from x-amzn-oidc-accesstoken, any help would be helpful.
Thanks
Ibrahim

Hi @imo ,

you should see it in your request header! If you are behind ALB, it should be there in ALB request headers!

Sample ABL request :

{
“requestContext”: {
“elb”: {
“targetGroupArn”: “arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/lambda-279XGJDqGZ5rsrHC2Fjr/49e9d65c45c6791a”
}
},
“httpMethod”: “GET”,
“path”: “/lambda”,
“queryStringParameters”: {
“query”: “1234ABCD”
},
“headers”: {
“accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8”,
“accept-encoding”: “gzip”,
“accept-language”: “en-US,en;q=0.9”,
“connection”: “keep-alive”,
“host”: “lambda-alb-123578498.us-east-2.elb.amazonaws.com”,
“upgrade-insecure-requests”: “1”,
“user-agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36”,
“x-amzn-trace-id”: “Root=1-5c536348-3d683b8b04734faae651f476”,
“x-forwarded-for”: “72.12.164.125”,
“x-forwarded-port”: “80”,
“x-forwarded-proto”: “http”,
“x-imforwards”: “20”
},
“body”: “”,
“isBase64Encoded”: false
}

Atleast this is what we get in our application!

Thanks @domdabbu - these headers are not visible in response, however as these are fixed we got the values.

I have the same issue but I still don’t understand if there is a solution or not. The workaround is a rather poor one.

Basically, the AWS Application Load Balancer handles OIDC. The application receives x-amzn-oidc headers.

Can I extract id_token_hint =<id token> from those headers? What is the field id token in those?

Or is it something that AWS needs to implement in the AWS?

• openid connect - Implementing logout with Okta when app is hosted behind an AWS Alb - Stack Overflow
• OIDC / Logout with AWS ALB
• [OIDC] Logout without having the original Id Token?
• Authenticate users using an Application Load Balancer - Elastic Load Balancing

Hi I would also have the same problem. I am following the approach of redirecting to “{{your_okta_org}}/login/signout?fromURI={{one of the trusted origins}}” after expiring the EKS Ingress ALB session cookie. Currently I have created an application in my Okta developer account and it is having only one application in it. But when we move this to our organization okta account, the user would logout from all the logged in applications once he logs out from my application. Is the there any way to get the id token, may be by calling Okta API so that we can call https:///oauth2/default/v1/logout?id_token_hint=${id_token} to logoff specifically from my application.