[OIDC] Logout without having the original Id Token?

Hi all,

We are using Okta to implement authentication via OIDC in some of our applications. We are using AWS Application Load balancer integration with OIDC to take care of an automatic token exchange, session management and so on in our infrastructure, which is been proving very handful so far

However, the way the ALB works, we don’t have access to the original Okta’s ID Token obtained during the token exchange.

The ALB forwards Okta’s original access_token to our apps, but instead of forwarding Okta’s ID Token, AWS composes a new one with the claims obtained from the /userinfo endpoint, signs this token and forwards it to our apps

The problem comes when we want to logout the user from the application and Okta’s authorization server (so that user has to enter credentials again in Okta’s login page).

Okta’s documentation for the /logout endpoint asks for an ID Token being passed in the id_token_hint query parameter but our applications don’t have access to Okta’s ID token, but rather AWS’s one

  • Has anybody dealt with this issue before and found a workaround?
  • Is there a way to obtain an ID Token from Okta after the token exchange if we posses a valid access token?
  • Is there any other way of logging our users from the app in Okta?

Thanks in advance for your help!

if you have Okta session cookie you should be able to go to /authorize again for tokens, but how would it help you, if ALB will intercept and substitute it again?!

there are ways to terminate the session with Okta, with Okta auth JS or by redirecting a user agent to a crafted Okta URL, which will terminate the session and send the agent back to the given URL

Hi there,

I’m also attempting to deal with this.

@phi1ipp - you mentioned there are “ways to terminate the session with Okta”. Could you please explain a little more which “crafted Okta URLs” can help with this or point me in the direction of some documentation?

Thanks again,

G

you can redirect user to “{{your_okta_org}}/login/signout?fromURI={{one of the trusted origins}}”

@phi1ipp - that’s brilliant. Thanks for the response.