The ALB forwards Okta’s original access_token to our apps, but instead of forwarding Okta’s ID Token, AWS composes a new one with the claims obtained from the /userinfo endpoint, signs this token and forwards it to our apps
The problem comes when we want to logout the user from the application and Okta’s authorization server (so that user has to enter credentials again in Okta’s login page).
Okta’s documentation for the /logout endpoint asks for an ID Token being passed in the id_token_hint query parameter but our applications don’t have access to Okta’s ID token, but rather AWS’s one
-
Has anybody dealt with this issue before and found a workaround?
-
Is there a way to obtain an ID Token from Okta after the token exchange if we posses a valid access token?
-
Is there any other way of logging our users from the app in Okta?
Thanks in advance for your help!