Logging out of an Okta authenticated flask app

I’m using Okta to handle the user authentication for a flask app more or less adapting this tutorial to my needs:

It all works great, except for the logout functionality. When I call oidc.logout(), my understanding is that it removes the local authentication token, but the server side token stays, so users never really get logged out (if they click login, they go back in without reauthentication, this isn’t the desired behaviour).

As per the documentation here ( https://developer.okta.com/docs/api/resources/oidc/#logout) , it says that I need to request the logout url with an id_token_hint. What exactly goes in this id_token_hint= field?

The only id_token I’m familiar with is the whole JWT ‘oidc_id_token’ with a bunch of sub fields like jti, iss, idp etc. is one of those fields what is being referred to as the “id_token_hint” needed to logout on the server side via the API?


Hi @thebrettrgm

In the id_token_hint parameter you will need to pass an ID token that was issued with the user that is currently logged in.

In authorization code flow, the ID token is issued once the authorization code is passed to /token endpoint.

1 Like

Thanks dragos, that helps!

In case anyone else runs into this, this is what worked for me in flask:

def logout():
info = oidc.user_getinfo([‘preferred_username’, ‘email’, ‘sub’])
from oauth2client.client import OAuth2Credentials
id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get(‘sub’)]).token_response[‘id_token’]
logout_request = base_url + logout_url + str(id_token) + logout_redirect_url
return redirect(logout_request)

Is that the desired way to go about it though, redirecting the client browser to the fully-formed logout request? It works, I’m wondering if there’s an issue with exposing that id_token, or is that the correct way to logout?

Hi @thebrettrgm

No worries. Yes, this is the desired flow, the OpenID Connect /logout endpoint is implemented as per the spec available here.

1 Like