OIDC / Logout with AWS ALB

sathishp · May 4, 2021, 2:42pm

I am trying to implement the logout functionality. Scenario is, we have an app within AWS ALB and I am using ALB for authentication. I am able to login and able to get the OIDC_DATA, however I have following issues.

OIDC_DATA is a JWT encoded. Hence when I decode, I am able to retrieve the payload data but the verify_signature fails. The api I use is as suggested in the AWS site
payload = jwt.decode(encoded_jwt, pub_key, algorithms=['ES256'])
Since AWS-ALB is performing the authentication, when I call with ```
https://{baseUrl}/logout?id_token_hint=<oidc_data>&post_logout_redirect_uri=<app_login_url>

```{"errorCode":"invalid_client","errorSummary":"A client_id must be provided in the request.","errorLink":"invalid_client","errorId":"oae9U5w61RwSMaM1aDLsu2p7g","errorCauses":[]}```

Could you please guide me?

andrea · May 4, 2021, 5:33pm

Are you providing the raw JWT string as the id_token_hint value? If not, can you give that a shot?

sathishp · May 12, 2021, 12:31pm

Thank you for the response. I tried with raw JWT string even then it returns the same error

andrea · May 12, 2021, 5:15pm

Can you share what your request looks like (anonymizing the token and your domain)? Can you double check that you’re passing in the ID token as the id_token_hint, and not an access token?

sathishp · May 15, 2021, 7:09pm

The page is redirected using window.location.href to the following URL
https://<login_url>/oauth2/v1/logout?id_token_hint=&post_logout_redirect_uri=<app_home_url>

Where I tried the following for the above part:
: OIDC_TOKEN (This is raw token received in the header ‘x-amzn-oidc-data’ from AWS ALB)

andrea · May 17, 2021, 9:51pm

And you tried passing in that ID token as the value for id_token_hint, as in the example below:

https://<login_url>/oauth2/v1/logout?id_token_hint=eyJr…asDa&post_logout_redirect_uri=<app_home_url>

Is the ID token you are testing with associated with the same user that has a session in the browser you are redirecting to /logout?

There’s some more details about why the logout redirect can fail in the error conditions listed here: OpenID Connect & OAuth 2.0 API | Okta Developer

sathishp · May 24, 2021, 1:46pm

Hello Andrea,
Thank you so much in guiding me on what possibilities it could cause. I have still yet to close this working.

To answer the questions raised

ID token is associated with the same user that has a session. This is the ‘x-amzn-oidc-data’ provided by the AWS-ELB once the user is logged in
I am not sure as the result comes as “errorCode”:“invalid_client” … To elaborate on the way we handle logout, please see the steps below:
(a). Request goes to backend (hosted within the AWS ELB), which will first clear/invalidate the AWSELB session cookie
max_age=-1, expires=‘Thu, 01 Jan 1970 00:00:00 GMT’
(b). Then, in the front-end (web layer), we redirect the page which is as follows:
window.location.href = https://<login_url>/oauth2/v1/logout?id_token_hint=<oidc_token>&post_logout_redirect_uri=<app_home_url>

Hope the above info helps in guiding me further.

My app architecture is as follows:

sathishp · May 27, 2021, 11:18am

Hello Andrea,

Hope you had the opportunity to look at the above details. Additionally posting the AWS rules (if that helps)
Authenticateusing OIDC
Issuer:https://<login_url_basepath>/oauth2/<client_id>
Token endpoint:https://<login_url_basepath>/oauth2/<client_id>/v1/token
User info endpoint:https://<login_url_basepath>/oauth2/<client_id>/v1/userinfo
Authorization endpoint:https://<login_url_basepath>/oauth2/<client_id>/v1/authorize
Session cookie:AWSELBAuthSessionCookie
Session timeout:604800
On unauthenticated:authenticate
Scope:openid email profile offline_access

Please let me know if you need any additional info

andrea · May 27, 2021, 3:59pm

Are those endpoints Okta’s OAuth endpoints? When you say client_id in the paths for those, are you instead referring to the custom Authorization Server ID?

sathishp · May 31, 2021, 7:53pm

Hello Andrea,
Thank you for responding. These are oauth endpoints as we are able to login successfully with these endpoints. We are only facing problem to logout. The app is not able to logout and redirect to the login page of the app.
For logout, we do the following:

Invalidate the session cookie (AWSELBAuthSessionCookie), by setting the following value:
'max_age=-1, expires=‘Thu, 01 Jan 1970 00:00:00 GMT’
Redirect to logout with the main page of the app in the post_logout_redirect_uri as follows:
window.location.href = https://<login_url>/oauth2/v1/logout?id_token_hint=<oidc_token>&post_logout_redirect_uri=<app_home_url>

andrea · June 1, 2021, 3:52pm

And the ID token you provide as the id_token_hint is for the same user/browser session you are trying to end? That should be working, provided the right endpoints are being hit and the right token is being provided. Can you try changing the logout url, https://<login_url>/oauth2/v1/logout, to match the issuer paths used by the other calls, which look to include a specific authorization server that issued the original tokens.

That error usually only crops up if the id_token is missing or invalid, see notes on the endpoint here, but its possible the request url is the problem.

sathishp · June 10, 2021, 7:52am

Hi Andrea,
Thank you for the further suggestion. I have done a workaround of logging off via an iframe and then redirecting to the app. This shows me back the okta login screen.
As you said, there could be some configuration issue and the error log is not detailed. Is it possible to get specific detailed error from okta on why it failed