Integrating JWT and Okta OIDC in NetCore simultaneously, logout error: "A client_id must be provided in the request."

Questions
1

Due to the business requirements, the project needs to integrate Okta OIDC, but the system has already integrated JWT. Therefore, I have implemented multi-channel authentication with the following code:

  services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.HttpOnly = true;
                options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
            })
            .AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                //options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

            })
            .AddCookie()
            .AddOktaMvc(new OktaMvcOptions
            {
                // Replace these values with your Okta configuration
                OktaDomain = Appsettings.app("Okta:OktaDomain"),
                AuthorizationServerId = "",
                ClientId = Appsettings.app("Okta:ClientId"),
                ClientSecret = Appsettings.app("Okta:ClientSecret"),
                CallbackPath = Appsettings.app("Okta:redirect_uri"),
                PostLogoutRedirectUri = Appsettings.app("Okta:signout_redirect_uri")
                //Scope = new List<string> { "openid", "profile", "email" },
            });
            services.AddControllersWithViews();

The system can successfully redirect to the Okta system for authentication and callback to my home page. However, there is always an error when logging out, as shown below:

{
"errorCode": "invalid_client",
"errorSummary": "A client_id must be provided in the request.",
"errorLink": "invalid_client",
"errorId": "oaeYNYRvMnfQxOH4B0KM0A-Og",
"errorCauses": []
}

I tried to add client_id, but I still got the same error. Here is my logout code.

[NoSign]
        [Route("/Okta_Signout")]
        [Authorize(AuthenticationSchemes = OpenIdConnectDefaults.AuthenticationScheme )]
        [HttpGet]
        public async Task<IActionResult> SignOut()
        {
            //await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

            string redirectUri = Appsettings.app("Okta:signout_redirect_uri");
            var properties = new AuthenticationProperties { RedirectUri = redirectUri };
            //properties.Items.Add("client_id", "0oa8j1t2i7iMbRyVW5d7"); 
            //properties.Items.Add("post_logout_redirect_uri", redirectUri); 

            return SignOut(properties,
                CookieAuthenticationDefaults.AuthenticationScheme,
                OpenIdConnectDefaults.AuthenticationScheme);
        }

I searched online and found that the reason for this issue may be due to the confusion in the .NET Core authentication pipeline. Does anyone have a solution to this? I hope you can help me. Thank you.

2

Hello,

If you open the browsers developers tool and check the network tab what is being sent for the /logout to Okta?
See here.

Getting back ‘A client_id must be provided in the request.’ would make me think the id_token_hint parameter with a valid id_token is not being passed.

1 Like
3

The route for logging out of a specific jump is:

https://dev-17459164.okta.com/oauth2/v1/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A5001%2Fsignout%2Fcallback&state=CfDJ8CtEvkQf_9tEm8xArriDXoIW-jJujoY3pYBiH_UF7m0GWSXgK1rDZpWpAu-2NkYMnrzWRc0uZL09ycsogWQcHWYwdyTrxcsuFk0Xrq3R6PxKYHhAQtJ7P-GjXy28uMN3rS4f9DpdSlOKzquyf7iA_pUWTrCnacjLMgcsgWjBG_Hw&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0

Id does not exist_ token_ Hint, but how do I add it

4

We found a solution by deploying a program developed in NetCore to a Windows Server IIS. Since sites created in IIS can have sub-applications, we put the authentication system into a sub-application to complete a wrapper authentication. Specifically, we created an application under the site that implements embedded Okta authentication. After authentication, it is encrypted and transmitted to the parent site for identity authentication. When logging out, it returns to the authentication program to log out, completing the login transformation.

Thank you very much for the response from the Okta team!