vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard
verified publisher icon vouch

Okta logout "invalid_client" error

Open xcabur1 opened this issue 5 years ago • 8 comments

Describe the problem If I call the vouch-proxy /logout?url=${end_session_endpoint} endpoint with the okta idp end_session_endpoint url, I get a "invalid_client" error

{"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaehsEOpVx2QZm1Q-9EBGxC7A","errorCauses":[]}

Expected behavior If I call /logout?url=https://dev-1234.okta.com/oauth2/default/v1/logout I should be logged off from vouch-proxy and okta

Desktop (please complete the following information):

  • OS: Windows 10 (2004)
  • Browser Edge (Chromium based)
  • Version: current

Additional context vouch config: https://hasteb.in/imojefig.http nginx config: https://hasteb.in/codahuva.nginx vouch log: https://hasteb.in/adefixub.bash nginx log: https://hasteb.in/hoveduzo.coffeescript

xcabur1 avatar Nov 06 '20 17:11 xcabur1

@xcabur1 please provide logs in the manner described in the README

bnfinet avatar Nov 06 '20 17:11 bnfinet

@bnfinet if you miss the bug_report, can you tell me, where the output is located on windows (do.sh window automatically closed). That's the reason, why I uploaded and obfuscated the conifg files manually

xcabur1 avatar Nov 06 '20 18:11 xcabur1

@xcabur1 I see the config, but I need full logs as per the README

I'm not a Window's user. Could you try running VP on Linux?

bnfinet avatar Nov 06 '20 19:11 bnfinet

@bnfinet Sorry, I have no linux system. I can't find any log files and can't find a description in the readme, which logs you need. But I added the debug output of the logout request, hope that helps. Let me now if you need more.

xcabur1 avatar Nov 06 '20 20:11 xcabur1

@bnfinet I also provided the nginx log. It looks like the id_token_hint is not provided in the /logout request as descriped in #258

xcabur1 avatar Nov 07 '20 09:11 xcabur1

Seems that the token is not stored after #298 (#287). Works after configuring a header for it with the vouch.headers.idtoken.

tmatilai avatar Nov 13 '20 12:11 tmatilai

@tmatilai nice catch! Can you please post a working config here?

@martindb FYI ^^

I think this a documentation bug that could be handled with a note in config.yml_example that links to this issue, perhaps along with a log message during config if either oauth.end_session_endpoint or post_logout_redirect_uris is set.

Otherwise we get into something like... If oauth.end_session_endpoint or post_logout_redirect_uris is configured, the idtoken will be carried in the cookie. Not sure that's wise to autoconfigure. Plus it runs counter to the goal of #287, which was to keep the VP cookie small.

bnfinet avatar Nov 13 '20 14:11 bnfinet

Can you please post a working config here?

The example config for Okta seems correct (except you have to drop default/ part from the URLs unless using API Access Management), and then just uncomment the idtoken line.

I actually played with Docker and env vars:

OAUTH_PROVIDER: oidc
OAUTH_CLIENT_ID: $OKTA_CLIENT_ID
OAUTH_CLIENT_SECRET: $OKTA_CLIENT_SECRET
OAUTH_AUTH_URL: $OKTA_OAUTH_BASE_URL/authorize
OAUTH_TOKEN_URL: $OKTA_OAUTH_BASE_URL/token
OAUTH_USER_INFO_URL: $OKTA_OAUTH_BASE_URL/userinfo
OAUTH_END_SESSION_ENDPOINT: $OKTA_OAUTH_BASE_URL/logout
OAUTH_SCOPES: openid,email,profile
OAUTH_CALLBACK_URL: https://$SERVER_NAME/auth

VOUCH_DOMAINS: $VOUCH_DOMAIN
VOUCH_HEADERS_IDTOKEN: X-Vouch-IdP-IdToken
VOUCH_POST_LOGOUT_REDIRECT_URIS: $OKTA_BASE_URL
VOUCH_JWT_MAXAGE: 5

tmatilai avatar Nov 13 '20 15:11 tmatilai