Okta Sig Out / Logout in PHP or Javascript

Hello guys,

Can someone send me code, preferably in PHP or Vanilla Javascript for Okta’s Sign Out / Logout, for me to insert in the code of my web application in PHP? I couldn’t implement any of the Sign Out code that is in the Okta Developer Quick Guide.

Following the documentation at:

When accessing Logout URL:
GET https://${baseUrl}/logout?

I have the 404 error page.

What are you using as a baseURL here? Are you following this guidance about how to determine the correct base url to use in your requests based on the authorization server you are using?

Aka, the baseURL should either be https://{{subdomain}}.okta.com/oauth2 (if you are using the Org Authorization Server) or https://{{subdomain}}.okta.com/oauth2/{{customAuthorizationServerId}} (if you are using a custom authorization server).

So depending on the issuer/authorization server you are using, the full logout request url (that you redirect to) will be https://{{subdomain}}.okta.com/oauth2/v1/logout or https://{{subdomain}}.okta.com/oauth2/{{customAuthorizationServerId}}/v1/logout

Remember that you can always get the full list of the /oauth endpoints for your server at its metadata endpoint: https://{{subdomain}}.okta.com/.well-known/openid-configuration (Org Auth Server) or https://{{subdomain}}.okta.com/oauth2/{{customAuthorizationServerId}}/.well-known/openid-configuration

Hi @andrea,

I’m almost getting it with the URL


Is this field via GET “id_token_hint” correct? I send the okta_id_token but I get a 400 error:
Invalid request
Your order resulted in an error. The id token is invalid.

You can’t make a curl request to the /logout endpoint, you need to redirect to it in the browser.

Additionally, you do not need to send the SSWS as auth for this endpoint. The only thing you need to pass it is the id_token_hint (which is the raw id token JWT string), e.g.: https://${subdomain}.okta.com/oauth2/v1/logout?id_token_hint=eyj*****

potential error causes are listed here: Error conditions | /logout | Okta Developer

My main two guess right now

  1. you are not sending the id_token along in the same browser the user had their Okta session in
  2. you are sending the id token to the wrong auth server. For example, if the iss in your ID token says https:{{subdomain}}.okta.com/oauth2/default, then your /logout endpoint will be https://{subdomain}}.okta.com/oauth2/default/v1/logout. The Default Authorization Server is NOT the same as the Org Authorization Server, which is highlighted in the docs I shared earlier


It worked out! Thank you very much!

I used the URL https://{subdomain}}.okta.com/oauth2/default/v1/logout and logged out of Okta.

But it goes to the Okta login page, how do I redirect back to my application?

I’m trying https://{subdomain}}.okta.com/oauth2/default/v1/logout?id_token_hint=“.$_SESSION[‘okta_id_token’].”&post_logout_redirect_uri=".$_ENV[‘OKTA_OAUTH2_REDIRECT_URI’]; but no redirect.

1 Like

Nice! Make sure that you add the URL you want users to get sent back to (the post_logout_redirect_uri parameter) as a"Sign-out redirect URI" for the application in the admin console. Okta won’t redirect the user back to a URI unless it exactly matches one listed there.

@andrea ,

The logout URL is:

In the Okta Admin Panel:
Sign-out redirect URIs: https://cmsdev.br.ibm.com/mdlStart/index.php/logout

But it still doesn’t redirect. What am I doing wrong?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.