Logout endpoint /oauth2/default/v1/logout

Questions OAuth/OIDC
1

Hello,
I have a question related to the logout flow when Identity providers are being used.
Let’s say that an organization Z has an identity provider to organization A with a routing rule which is domain specific(let’s say yahoo.com). When a user(test-user@yahoo.com) from organization A, who successfully managed to login through the identity provider, attempts to logout, my application sends a /oauth2/default/v1/logout request to the domain of organization Z and everything seems to work fine.

However, when the user attempts to login in my application again, no matter what they input in the username field, the validation passes and they log in with the test-user@yahoo.com.

So in other words, I wanted to ask if I’m using the /oauth2/default/v1/logout endpoint properly.
Is there a detail that I’m missing regarding the cleanup of the session/token of the user?

Thanks in advance!

3

The /oauth2/default/v1/logout endpoint isn’t fully logging out users, allowing automatic re-authentication.

Solution

  1. Implement proper logout flow:

    • Clear local application session
    • Revoke access and refresh tokens
    • Remove authentication-related cookies

  2. Use Okta’s logout endpoint correctly:

    GET https://{yourOktaDomain}/oauth2/v1/logout?id_token_hint={idToken}&post_logout_redirect_uri={redirectUri}

  3. Implement federated logout:

    • Log out from your application
    • Redirect to IdP’s logout endpoint
    • Handle IdP’s redirect back to your application

  4. Revoke tokens:

    • Use Okta’s /oauth2/v1/revoke endpoint

  5. Clear server-side session data

  6. Verify token validity:

    • Use introspection endpoint before granting access

By implementing these steps, you should achieve a more robust logout process, preventing automatic re-authentication issues.

4

I have faced a similar issue with federated okta organisations and am still not able to resolve it. How exactly can you preform federated logout when the okta external IDP configuration does not accept OIDC logout endpoint?

1 Like
5

Key Steps for Federated Logout

  1. Log out from your application
  2. Revoke Okta tokens using /oauth2/v1/revoke endpoint
  3. Clear local session data and cookies
  4. Attempt to log out from the external IDP

Options When IDP Doesn’t Support OIDC Logout

  • Check if the IDP supports SAML Single Logout (SLO)
  • Implement a custom logout flow that logs out of your app and Okta
  • Use Okta’s API to end the Okta session, even if the external IDP session remains
  • Set shorter session timeouts

Hope this helps!

1 Like
6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.