According to https://stackoverflow.com/a/42816392/752601, Okta does not yet support OpenID Connect logout. In the meantime, is there any other way that I can log a user out of Okta itself when they click the "Log out" button I have created in my OpenID Connect application?
This is Adrian from Okta support. In order to trigger a "logout" in your web app, you will need to revoke the open id token to remove the user session. The session from the application would also need to be removed. If you want to delete the Okta session, you can call DELETE /api/v1/sessions/me along with the token revoke call. There is quite a bit of useful documentation available on our Developer site, if you would like a deeper look into OAuth 2.0 and OIDC: http://developer.okta.com/docs/api/resources/oauth2.html#openid-connect-and-authorization-servers http://developer.okta.com/docs/api/resources/sessions.html#close-current-session
Adrian Rahau Support Agent Okta Global Customer Care
Thank you Adrian. To call /api/v1/sessions/me, the Okta session cookie must be set in the browser.
I see that I can obtain a session cookie from the OIDC authorization endpoint ( https://developer.okta.com/use_cases/authentication/session_cookie#retrieving-a-session-cookie-via-openid-connect-authorization-endpoint ), but to do this, I need a session token. The article I just linked says that a session token is obtained through the Authorization API, but I am not using the Authorization API for my site.
My log in flow is this: user clicks log in button on my site -> redirected to Okta login page -> redirected back to my site. How can I get the session token or session cookie under this flow? I have checked my cookies in the Chrome dev tools, and I am not seeing any cookies created by Okta for localhost:8080.
This is Istvan from Okta support . To make the logout to happen in your app, you will need to cancel the open ID token for removing the users session. You also need to remove the session from the application. In order to delete the Okta session, you need to do the call DELETE /api/v1/sessions/me along with the token revoke call. Here is some documentation available on the website : http://developer.okta.com/docs/api/resources/sessions.html#close-current-session http://developer.okta.com/docs/api/resources/oauth2.html#openid-connect-and-authorization-servers