Hello @MartinS.17734 (Customer)​ ,

The OIDC logout draft is not yet final, but Okta does respect the suggestions implied by it at this point where it is recommended to use an ID token as an identifier for the session and having it send during the request; what is seen as problematic regarding Okta's implementation?

https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Regards,

Natalia

Okta Inc.

Hi @User16254393570754125507 (Okta)​ 

Thanks for your fast reply. My issue is that I get a 404 when I call the logout endpoint  https://{baseUrl}/logout?id_token_hint=${id_token} (with my Okta domain and an ID token).

Do I have the correct URL?

Thanks

Martin.

Hello @MartinS.17734 (Customer)​ 

Following the documentation, the URL looks great.

Now, this is something else that you can check:

The /logout authorization server endpoint requires two parameters to be sent:

- id_token_hint = an ID token that was issued to the currently logged in user using the current session

- post_logout_redirect_uri = a URL where to send the user after logging out the user in Okta, URL which needs to be added also in Okta under Admin >> Applications >> your OIDC application >> Logout Redirect URIs

There are two ways to log out the user from the application:

- call the logout method of the SDK used (or delete session manually if a method is not present) and then redirect to Okta's /logout endpoint with post_logout_redirect_uri being the URL to the login page; once the user is logged out from Okta he will arrive back on the log in page of your application.

- redirect to Okta's /logout endpoint with post_logout_redirect_uri being the URL for closing the session inside the application; once the user is logged out from Okta, he will be redirected to the logout endpoint on your application's side and, from there, you can redirect him to the login page.

Regards,

Natalia

Okta Inc.