Implementing logout with Okta when app is hosted behind an AWS Alb

Question

So this question is about how to properly logout a user from Okta when your app is hosted on AWS Alb.

App architecture: AngularJs (1.7.9) app running on a node 12 server. Uses Okta OIDC for authentication/authorization.

Okta documentation on logout can be found here: https://developer.okta.com/docs/reference/api/oidc/#logout

It basically says to make a GET request to the logout end point and include Id token and the redirect url. So basically the request should look like this: https://{oauthserver}/oauth2/v1/logout?id_token_hint={idToken}&post_logout_redirect_uri={directUrl}. This works as advertised when we run the app locally on localhost.

But on the cloud the Alb is responsible for OAuth. All we get are the following headers attached to the request. x-amzn-oidc-accesstoken, x-amzn-oidc-identity and x-amzn-oidc-data. First is obviously access token, 2nd is username and third I thought was the Id token but turns out it's not. It's simply the userclaims formatted as a JWT that the OAuth server's userinfo end point returns. It's explained here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

It says "The Application Load Balancer authenticates the user and only passes access tokens and claims to the backend but does not pass the ID token information."

So what's the best practice on logging out when your app is behind an AWS Alb that is responsible for OIDC. We cannot hit the Okta logout end point without the Id token.

Answer 1

I was struggling with the same thing and was able to resolve it by forwarding the user to another endpoint that do not require client id.

1. Before redirect, ensure that you delete the cookie AWSELBAuthSessionCookie-0.
2. Redirect user to following URL: https://<org>.okta.com/login/signout?fromURI=http://<trusted hostname of your app>

The result is that the user is logged out and asked to login again.