Logging out of an Okta authenticated flask app

thebrettrgm · March 26, 2019, 1:53am

I’m using Okta to handle the user authentication for a flask app more or less adapting this tutorial to my needs:

It all works great, except for the logout functionality. When I call oidc.logout(), my understanding is that it removes the local authentication token, but the server side token stays, so users never really get logged out (if they click login, they go back in without reauthentication, this isn’t the desired behaviour).

As per the documentation here ( https://developer.okta.com/docs/api/resources/oidc/#logout) , it says that I need to request the logout url with an id_token_hint. What exactly goes in this id_token_hint= field?

The only id_token I’m familiar with is the whole JWT ‘oidc_id_token’ with a bunch of sub fields like jti, iss, idp etc. is one of those fields what is being referred to as the “id_token_hint” needed to logout on the server side via the API?

Thanks!

dragos · March 26, 2019, 8:59am

Hi @thebrettrgm

In the id_token_hint parameter you will need to pass an ID token that was issued with the user that is currently logged in.

In authorization code flow, the ID token is issued once the authorization code is passed to /token endpoint.

thebrettrgm · March 26, 2019, 6:11pm

Thanks dragos, that helps!

In case anyone else runs into this, this is what worked for me in flask:

@app.route(“/logout”)
@oidc.require_login
def logout():
info = oidc.user_getinfo([‘preferred_username’, ‘email’, ‘sub’])
from oauth2client.client import OAuth2Credentials
id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get(‘sub’)]).token_response[‘id_token’]
logout_request = base_url + logout_url + str(id_token) + logout_redirect_url
oidc.logout()
return redirect(logout_request)

Is that the desired way to go about it though, redirecting the client browser to the fully-formed logout request? It works, I’m wondering if there’s an issue with exposing that id_token, or is that the correct way to logout?

dragos · March 26, 2019, 8:28pm

Hi @thebrettrgm

No worries. Yes, this is the desired flow, the OpenID Connect /logout endpoint is implemented as per the spec available here.

sai422 · March 1, 2021, 11:13pm

Hello
I used your piece of code. But I seem to get “Internal error”. Can you please tell me where was I doing wrong? This is the piece of code I used.

@app.route(“/logout”, methods=[“POST”])
@oidc.require_login
def logout():
info = oidc.user_getinfo([“preferred_username”, “email”, “sub”])
raw_id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get(“sub”)]).token_response[“oidc_token”]
id_token = str(raw_id_token)
logout_request = “https://dev-99954736.okta.com/oauth2/default/v1/logout?id_token_hint={id_token}&post_logout_redirect_uri=http://127.0.0.1:5000/”.format(id_token=id_token)
oidc.logout()
return redirect(logout_request)

Thank You!

system · January 26, 2024, 11:49pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.