LarryD.25867 (Customer) asked a question.
Okta Sign-in widget - information disclosure
The URL in the request appears to contain a token within the query string. The JSON Web Token can be decoded in order to extract more information about it.
myorg.okta.com/oauth2/default/v1/logout?id_token_hint={VALUE}&post_logout_redirect_uri={VALUE}
e.g. GET /oauth2/default/v1/logout?id_token_hint=<token here>
We pass information from Okta LDAP Agent such as first name, last name, email address, mobile number, etc. These information are viewable.
Hi @LarryD.25867 (Customer) , Thank you for reaching out to the Okta Community!
I've looked into this and it seems that this is how the /logout endpoint works per the OIDC standard, https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
My advice would be to reach out to the devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products.
Hope it helps!