We are using Okta to implement authentication via OIDC in some of our applications. We are using AWS Application Load balancer integration with OIDC to take care of an automatic token exchange, session management and so on in our infrastructure, which is been proving very handful so far
However, the way the ALB works, we don’t have access to the original Okta’s ID Token obtained during the token exchange.
The ALB forwards Okta’s original
access_token to our apps, but instead of forwarding Okta’s ID Token, AWS composes a new one with the claims obtained from the
/userinfo endpoint, signs this token and forwards it to our apps
The problem comes when we want to logout the user from the application and Okta’s authorization server (so that user has to enter credentials again in Okta’s login page).
Okta’s documentation for the
/logout endpoint asks for an ID Token being passed in the
id_token_hint query parameter but our applications don’t have access to Okta’s ID token, but rather AWS’s one
- Has anybody dealt with this issue before and found a workaround?
- Is there a way to obtain an ID Token from Okta after the token exchange if we posses a valid access token?
- Is there any other way of logging our users from the app in Okta?
Thanks in advance for your help!