Session Logout with Python and Flask - no valid token

My logout function in flask looks like this:

@app.route("/logout")
def logout():
info = oidc.user_getinfo([‘preferred_username’, ‘email’, ‘sub’])
from oauth2client.client import OAuth2Credentials
id_token = OAuth2Credentials.from_json(oidc.credentials_store[info.get(‘sub’)]).token_response[‘id_token’]
print (id_token)
print("AUD: " + oidc.user_getfield(“aud”))
base_url=“https://dev-xxxxxx.okta.com/
logout_url=“oauth2/v1/logout?id_token_hint=”
logout_redirect_url=“http://xxxxxxx:5000/

logout_request = base_url + logout_url + str(id_token) +’&’+ logout_redirect_url

logout_request = base_url + logout_url + str(id_token)
requests.get(logout_request)
print(logout_request)
oidc.logout()
return redirect(url_for(".index"))

But when I try to the generated logout URI from the code I always get 400 bad request invalid token.

A sample token looks like this:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIwMHVuMXZ4ejBlT1pDMHlEYzM1NiIsIm5hbWUiOiJLZXZpbiBLZWxsZXIiLCJlbWFpbCI6ImtlbGxlcmtldkBnbWFpbC5jb20iLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTUzMjE2Ny5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6IjBvYW4xenZ5ZnpxeHdDM0xtMzU2IiwiaWF0IjoxNTU4ODIxNDE3LCJleHAiOjE1NTg4MjUxNDQsImp0aSI6IklELjFMbnlXdlRZbEZDMURLRG1HUGlYN05qZGh0RVhzUjZTNkJPRUVLaU1tZkkiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwb24xdnh3NExwZXNGbDU2MzU2IiwicHJlZmVycmVkX3VzZXJuYW1lIjoia2VsbGVya2V2QGdtYWlsLmNvbSIsImF1dGhfdGltZSI6MTU1ODgyMTMyNiwiYXRfaGFzaCI6IkQ5cVE2ZnYtelVKUnc2cVBMcUxLb1EifQ.Q6Iwu8Oc0JM4CXT2zXxQHLaTLaXMiAdzIf7bOMBI_4I

Sample generate logout URL:

https://dev-532167.okta.com/oauth2/v1/logout?id_token_hint=eyJraWQiOiJ3YXZJWlI5UW1vNjU3d0tGT1psLWdtY2FicDJVZG9LRnU0Mk05S2tObkx3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVuMXZ4ejBlT1pDMHlEYzM1NiIsIm5hbWUiOiJLZXZpbiBLZWxsZXIiLCJlbWFpbCI6ImtlbGxlcmtldkBnbWFpbC5jb20iLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTUzMjE2Ny5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6IjBvYW4xenZ5ZnpxeHdDM0xtMzU2IiwiaWF0IjoxNTU4ODIxNDE3LCJleHAiOjE1NTg4MjUwMTcsImp0aSI6IklELjFMbnlXdlRZbEZDMURLRG1HUGlYN05qZGh0RVhzUjZTNkJPRUVLaU1tZkkiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwb24xdnh3NExwZXNGbDU2MzU2IiwicHJlZmVycmVkX3VzZXJuYW1lIjoia2VsbGVya2V2QGdtYWlsLmNvbSIsImF1dGhfdGltZSI6MTU1ODgyMTMyNiwiYXRfaGFzaCI6IkQ5cVE2ZnYtelVKUnc2cVBMcUxLb1EifQ.K21jvt_jE87r4D_xI_1bYIM-XWbJcn9M4zRff1HuNfj7htEMG13AbZkqHQAt9jMmz8B91zkjj94bOMHaWNHoP95aDuzH_zhzdjmJiOUuieXijhgEGFGin8pUL47d4cyQpPXshbQ36-1NTIiZyG-AkTBmPgI5I_iwEEorsgFZiFwwNnDPdlPbyQk2YqQ-p2JGniX5_M3ekgnsAHp6kHmFG4Qm2B1jzDi0SlSe3FZR7QubBeMSqsowPgC-hwYJK9NgEwhPMk_8mj5iOlaJ7E8EYF6P2DQI2DIF4E1yAwruWEoex8VdBJIjDqcD4HL--OlFfrBZeSFfUN0opHYUVpA0-Q

What am I doing wrong?

Thanks!

Token content:

{
“sub”: “00un1vxz0eOZC0yDc356”,
“name”: “Kevin Keller”,
“email”: "kellerkev@gmail.com",
“ver”: 1,
“iss”: “https://dev-532167.okta.com/oauth2/default”,
“aud”: “0oan1zvyfzqxwC3Lm356”,
“iat”: 1558821417,
“exp”: 1558825017,
“jti”: “ID.1LnyWvTYlFC1DKDmGPiX7NjdhtEXsR6S6BOEEKiMmfI”,
“amr”: [
“pwd”
],
“idp”: “00on1vxw4LpesFl56356”,
“preferred_username”: "kellerkev@gmail.com",
“auth_time”: 1558821326,
“at_hash”: “D9qQ6fv-zUJRw6qPLqLKoQ”
}

Hi @kbkeller

I see that the issuer in the JWT token is set to “https://dev-532167.okta.com/oauth2/default”. In this case, you would need to use the /logout endpoint of this authorization server, which is

https://dev-532167.okta.com/oauth2/default/v1/logout