OKTA express Oidc middle ware login/ logout redirections


Hello .

I am currently working on Okta login/logout integration in my application.
On front end we have Angular and Backend is Node with express middleware

I have login Page, which uses Okta Sign in Widget . Once user is logged in oidc.ensureAuthentication () function is called on every protect route to make sure its a valid session.

I have expressOIDC middleware set up in my server .js file

var oidc = new ExpressOIDC({
    issuer: `${configSettings.orgUrl}/oauth2/default`,
    client_id: configSettings.keys.id,
    client_secret: configSettings.keys.clientSecret,
    redirect_uri: configSettings.keys.redirectUri,
    routes: {
        callback: { 
            defaultRedirect: "/" 
    scope: 'openid profile email'

As soon as user sign is , callback will print user information.

Issue is : When i logout , in oidc i am just calling
logOff : function logOff(req, res){

This logout does not clear my session and it will redirect me to sign in page, because on UI i am redirecting to sing . html, but i guess there is some setting i missed or logout url redirect is not correct. I am not sure what should be the flow on logout and what setting should i add. Can somebod provide an example, or may be i missed a callback handler but by default its ‘authorization-code/callback’ which should enter into

 callback: { 
            defaultRedirect: "/" 

i am not sure

Below is my Okta App url redirects


Hi @reemasaluja

First, make sure oidc.ensureAuthentication() isn’t on the / route. If it isn’t, then follow the instructions here to set up an example with the widget. Let us know if that helps!


I checked out the link, which you shared. Thanks, But that wont work in my case.

Let me tell you the flow

Node server boots up

  1. in server.js has oidc connection established.

  2. webpage - > custom login form(with custom made url /user/sign-in), uses sign in widget - > Authenticates- > oidc authentication on route -> get data from mongo db -> and triggers next action.

Successfully signed in

Issue is with logout

app.get(’/logout’, function(req, res){
req.logout(); // this is undefined. no logout function in req object


If you’re trying add additional data to the session from mongodb after login, have you seen this section about extending the user in the README?

If logout is undefined, it’s probably because of the order of the routes. app.use(oidc.router); must come before you attach any of your own routes in order for logout to be available.



  1. No addition of user data. Thats just the flow i mentioned.
  2. app.use(oidc.router) is defined , before any route is called.
  3. Here is logout flow from client (Angular 1.5) to express route

->user clicks on Logout link in website.
-> Sign in widget logout

logoutWidget: function () {
              var deferred = $q.defer();
                 // widget.tokenManager.remove('idToken');
                  deferred.resolve("Signed out");
                } else {
                  deferred.resolve("Already Signed Out");
              return deferred.promise;

-> hit server with some service : userService.logoutUser() -> which fires
app.get(’/logout’, function(req, res){

I feel /logout should fire by itself when sign in widgets fires signout? , but i have to fire it manually.

my logout url on browser is “http://localhost:8080/user/logout

Also nothing is provided in okta configuration for Logout URLS field

  1. Sounds good!

  2. Just to be clear, it must be defined before other routes are defined, not just defined before the other routes are called:

    app.use(oidc.router); // must be defined before
    app.get('/logout', ...);
  3. The flow seems strange. If the browser knows the id_token or access_token and sends an access_token to the server, then you’re doing the implicit flow and oidc-middleware isn’t for you. If the implicit flow is what you want, we currently have @okta/jwt-verifier to verify incoming tokens to routes.

    oidc-middleware is designed to handle the authorization code flow, where you host a login route on your server, and the callback sets the userinfo in a cookie. You use that cookie (not an access_token) to make authorization decisions on future requests. To logout, redirect the browser (window.location.href = 'your logout uri'). If the authorization code flow is what you want, I suggest looking at the example.

You may want to look through our new Authentication Guide to determine which flow you want (authorization code flow or implicit), as that decision is application-specific.


Make sense. Thanks for clarification.

This makes sense


What if i want to use both oidc middleware and sign in widget. How should i implement logout functionality with OIDC