Signing out results in Error Code: invalid_token

I’m creating a new Angular app and using the Okta embedded signon widget.
The signon works great, and all the triggers work to indicate the user is successfully logged in. I also see a record of it in the Okta Admin console.

When I try to signoff, by calling the “signOut” method (no parameters) from the OktaAuthService module, I’m getting an error:

400 Bad Request
Identity Provider:
Error Code: invalid_token
Description: The id token is invalid.’

Here’s what I see in the network tab with I call signOut():

https://dev-2329998.okta.com/oauth2/v1/logout?id_token_hint=eyJraW****7yCfKl9w&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F

I do have a postLogoutRedirectURL explicitly configured, but I don’t think it’s even getting to that point.

Any help would be appreciated.

Make sure you use the /logout endpoint for the authorization server that generated the token.

Based on the payload of the token you had shared, it looks like the token was issued by the ‘Default’ auth server, so you should use the following logout endpoint: https://dev-2329998.okta.com/oauth2/default/v1/logout

I believe I tried using that endpoint but the result was the same.

I checked the configuration of the app on the Okta site and I have http://locahost:4200/logout as the signout URL. I also tried the value you suggested in this case.

In my angular (front end) app, I’m simply calling signOut() on the Okta Service.

When

You should really only see this error if the id token you pass in is somehow invalid.

If you try to manually construct the url after you log into your app in your browser (grabbing the raw JWT string id token from the tokenManager) and then paste the logout url into another tab, do you still experience that error?

I went back and reread the instructions on setting up my app and all the settings. I’m now experimenting with a different app instance, and for now have a different issue (CORS – which makes no sense) but I will start a new thread for that.

Andrea,

I just tried what you suggested.

I copied the id token jwt value from the session and formed the logout URL (see below) and I get the same error. If this ID is indeed invalid, I don’t know what I could do since my code doesn’t ever reason about the tokens returned from Okta.

What I’m trying to do is the following. When user navigates to our SPA, if they are not logged in, I will route them to the /signin URL. Likewise, after they logout, I want to redirect them back to the /signin URL

At this point in time, it doesn’t seem to matter what I use for the postLogoutRedirectUri in my OktaConfigOptions. It also seems to not matter what I have for the logout URL in the settings on the Okta Admin page. Right now I just have http://localhost:4200… and routing to that would work just as well as http://locahost:4200/signin

https://dev-2329998.okta.com/oauth2/v1/logout?id_token_hint=eyJraWQiOiJmaWJ1ZWd0dGxfb0dEdTZ0dm1rcVVDaHlYUU9FeFkxZDdCelBzSzdqcjlNIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMmc4YnR1NTF5cUVjbjVkNyIsImVtYWlsIjoicHVyZHVldG9tOTBAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi0yMzI5OTk4Lm9rdGEuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hMTJmN3owbXRUdVRCR2Q1ZDciLCJpYXQiOjE2MjY4MDQ2NjQsImV4cCI6MTYyNjgwODI2NCwianRpIjoiSUQubDlObi1rQnlva21CQUFhN3pKTldjUnMwT28zZEt2NGU1eGQtUlFzQ2pCSSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvMTJmMjNvODlzbUw4ZWw1ZDciLCJub25jZSI6InQ3UFlKNEFQVkJsa29NOTJMU29PTVdIa2NXQ1Y1RVBIVDV5c2RlRFVrN3BiWWZwdEZ6Wk9IeEQ2TTBVVmZNaVgiLCJhdXRoX3RpbWUiOjE2MjY4MDQ2NjQsImF0X2hhc2giOiJoeEVseUxDNG5vTS1NT0xJUF9fTElnIn0.cQ7UCnSJcf8ZLBzyrKz5yQBCbTa4MXxKLS21QMORiB7o68MCpfUOroaA3AS1pCNR7P7XBO5-2R6LeuQJzY1N2sizCKYF9rz-OebvUSk57bFrolkzq69Pfp8Wh2njMNt54IJ9U6TNRxRgtIfJB5ygQeFTUr__rhTQy8s107bxBGvYCihJO91OilZOdwCOUegqF8U_-VFdoIl9tHuDbFJtcfTJ2QOHe71MI4Pr2RaBIwxZdnjyq7438krJu75ERYaIGYONOUZLBmNC_d9OG1ONaM-8u-vVwJKMosUV5spRcInd4Z2CRMcRyQroUxutZFfLIOwbWjmYVKtiLEboZGoAIg&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fsignin

I figured out this issue by examining the possible values for the OktaAuthOptions.
The key/trick was to use the logoutUrl instead of the postLogoutRedirectUri attribute.
When I set logoutUrl to my /signin value, it started to work!

Tom

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.