Okta raw logout

michalkor · December 1, 2020, 9:26pm

Hi,

I’m trying to create a logout for my rails app.

As I understand correctly one and only thing that needs to be done is a get request to /logout?id_token_hint=<id_token_hint>

another, this time optional, attribute would be post_logout_redirect_uri.

But just /logout?id_token_hint=<id_token_hint> should do the trick? Right?

well, I’m getting an error:
{"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaewWqGO6lqRa6BqmRMYoRAPg","errorCauses":[]}

for both options (with and without post_logout_redirect_uri). What am I doing wrong?

On okta side I got Logout redirect uris set up to http://localhost:3000

mraible · December 2, 2020, 4:21pm

Are you passing an ID token as the value for id_token_hint? That’s what it expects.

mvernacc · December 11, 2020, 5:08pm

I am getting the same error when try to log out by redirecting the user-agent to the /logout endpoint.
I am passing the (URL-encoded) ID token as the value for id_token_hint as a parameter on the URL. The URL looks like:

https://dev-{...}.okta.com/oauth2/default/v1/logout?id_token_hint=%7B%27access_token%27%3A+%27{...}+%27scope%27%3A+%5B%27profile%27%2C+%27email%27%2C+%27openid%27%5D%2C+%27token_type%27%3A+%27Bearer%27%7D

(I have replaced sensitive information with {...})

I am confused because the error mentions a client_id parameter, but the API docs for /logout do not list client_id as a parameter.

It seems that Logout Redirect Page addresses a similar issue, but the solution was very specific to the poster’s C# implementation, and I am not familiar with C#.

mvernacc · January 9, 2021, 1:48am

I solved my issue! I was not giving the correct value for the id_token_hint.
Details: I am developing a python flask app, and am using requests_oauthlib to interact with Okta. To get the token, I call

token = requests_oauthlib.OAuth2Session.fetch_token(...)

The value returned by this method is a dict with a key 'id_token', along with several other keys. To add the id_token_hint to the logout url, I was originally passing the entire dict from fetch_token:

logout_url += '?' + urllib.parse.urlencode(dict(id_token_hint=token))

This produced an "invalid_client" error from Okta. Instead, I am now passing just the 'id_token’ value from the dict:

logout_url += '?' + urllib.parse.urlencode(dict(id_token_hint=token['id_token']))

This works.

system · January 9, 2021, 1:48am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.