/logout - why is the ID Token necessary?

bruce · September 8, 2020, 4:17pm

Regarding the logout endpoint found here…
https://developer.okta.com/docs/reference/api/oidc/#logout
Why is the ID token necessary?
Is there a different way to initiate logout… that doesn’t require an ID token?

Kinda related… looking at how often developers have questions/issues with logout you might reconsider how it works.
https://devforum.okta.com/search?q=logout

phi1ipp · September 8, 2020, 11:33pm

What if I turn the question around and ask you: if you were a provider I have a session with, how would you know which user to sign out, if I hit your /logout url?

If you think about it, you will find an answer, why id_token might be required.

Yes, there is an alternative way, just hit /signin/logout in your browser and you’ll sign a user out of Okta

bruce · September 9, 2020, 5:42pm

Thanks for the response @phi1ipp. That makes sense to use the ID token to sign the user out, however, I assumed Okta left a session cookie of some sort based on this wording “…by removing their Okta browser session” found in the /logout docs referenced above, which I hoped could be used to identify the user and alleviate my need to pass the ID token. The library I’m using does not make the ID token available to me by default and by configuring it to be available I’ve bloated the request payload. I may need the ID token for other purposes so I won’t get hung up on that point right now.

I tried the /signin/logout but it doesn’t seem to log me out. Is that /signin/logout feature documented somewhere so I can make sure I’m using it right? I looked but did not find it.

phi1ipp · September 9, 2020, 6:06pm

Ugh… I always mess it up! My bad it’s /login/signout actually.

So the trick is who initiated the logout. When it’s a browser it has a cookie, so you can just simply hit this URL above. id_token related one, from the other hand, can be initiated from a backend (in case it’s required)

bruce · September 9, 2020, 9:04pm

Thanks! That worked, I can log out now, even without an ID token. Are there limitations I should be aware of when logging out that way? Or some documentation I should read?

gpadma · October 8, 2020, 5:19am

Hi @bruce,

@phi1ipp was right about the need for id_token_hint in /logout endpoint. And, as mentioned in the docs, the browser (user agent) should be redirected to the /logout endpoint.

As an alternate, you could call DELETE /api/v1/sessions/me from the browser.

system · August 27, 2021, 5:15pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.