What is the logout id_token_hint URL expected format?

Hello,

We try to call the OKTA logout from an RP application hosted on liberty according to

GET https://{baseUrl}/logout?id_token_hint=${id_token}

On liberty , we correctly get the id_token from java application with PropagationHelper.getIdToken() that is returning : IBM Documentation

so, we get :
IDToken:{“sub”:“00ud9w82nkjRCpwrB4x6”,“ver”:1,“iss”:“https://dev-963731.okta.com/oauth2/default",“aud”:“0oad9gtv9FahbeG8R4x6”,“iat”:1663770390,“exp”:1663773990,“jti”:“ID.vchBGwAXzpjTL1M7qasbP-wRP4-Vq_9LqNOKybGc_0Y”,“amr”:[“pwd”],“idp”:“00od7j6y5NubfhFyJ4x6”,“auth_time”:1663770388,“at_hash”:“Xxtl44iGt8jP_kPWC4g01Q”,“groupIds”:[“Everyone”,“BusinessUsers”,“rtsAdministrators”],“loginName”:“mathias.mouly@fr.ibm.com”,“groups”:["BusinessUsers”]}

Now, what is the id_token_hint=${id_token} format ?
Is it just a toString() ? Is it URL encoded ? …

Thanks for your help

id_token_hint takes a raw JWT string, which will looks something like “eyJasdasdha89s7dha7sdha.asdasdasdasd.adasdsadsd”. It looks like IBM is spitting out the claims (payload) of the token, but you won’t be able to convert this payload back to a JWT string yourself (since the JWT string contains more than just the payload but also details about how the token was signed).

I’m not familiar with this package, but I noticed there’s a com.ibm.websphere.security.jwt package that does have a method, compact(), that will return a JWT string. Are you able to get the ID Token as a JwtToken instead of as an IdToken within your app so you can use this method?

1 Like