Invalid client_id on logout

I am integrating an old spring application with okta. I’m using the mitreid spring library and authentication is working fine, however when I attempt to logout, I get invalid client_id. I have read the posts indicating this is caused by using the wrong token or a badly formatted token. I have decoded my token and it appears to be correct. I have used the introspect endpoint and it says the token is not active. Can someone help me understand what is wrong with the token. I may have to modify the token encoding in the mitreid library so okta recognizes it. Please let me know what I need to provide to help research this. From what I understand, the okta support team has access to the id tokens I have used to attempt logout. Earlier I had utilized invalid tokens, but the last few requests should be valid.

What is the iss value in the ID token you have?

What are the introspect and /logout endpoints you are trying to use, do they look like https://org.okta.com/oauth2/v1/logout OR https://org.okta.com/oauth2/default/v1/logout OR https://org.okta.com/oauth2/ausxxxxxxxx/v1/logout?

If you navigate to iss + /.well-known/openid-configuration, does the end_session_endpoint match the URL you are trying to use for your /logout request?

This is the value of the iss property in the token: https://dev-41814438.okta.com/oauth2/default
It matches the end_session_endpoint in .well-known/openid-configuration which is https://dev-41814438.okta.com/oauth2/default/v1/logout

And you’re making this request in the same browser in which the user has an Okta session?

Also, watch out for these error conditions: OpenID Connect & OAuth 2.0 API | Okta Developer

Correct. That’s why I believe the id token is invalid, but I don’t know why because when I view the decoded contents, it appears correct. Do you have a decoded valid token I could use as a reference to compare?

For the token you looked at, was the exp value within it set in the future or the past? Is the token actually still valid at this point?

I found the issue. I was submitting the token without the signature at the end. The oidc library I’m using was a bit confusing to get the entire token value.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.