Okta logout "invalid_client" error

[xcabur1]

Describe the problem
If I call the vouch-proxy /logout?url=${end_session_endpoint} endpoint with the okta idp end_session_endpoint url, I get a "invalid_client" error

{"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaehsEOpVx2QZm1Q-9EBGxC7A","errorCauses":[]}

Expected behavior
If I call /logout?url=https://dev-1234.okta.com/oauth2/default/v1/logout I should be logged off from vouch-proxy and okta

Desktop (please complete the following information):

• OS: Windows 10 (2004)
• Browser Edge (Chromium based)
• Version: current

Additional context
vouch config: https://hasteb.in/imojefig.http
nginx config: https://hasteb.in/codahuva.nginx
vouch log: https://hasteb.in/adefixub.bash
nginx log: https://hasteb.in/hoveduzo.coffeescript

[bnfinet]

@xcabur1 please provide logs in the manner described in the README

[xcabur1]

@bnfinet if you miss the bug_report, can you tell me, where the output is located on windows (do.sh window automatically closed). That's the reason, why I uploaded and obfuscated the conifg files manually

[bnfinet]

@xcabur1 I see the config, but I need full logs as per the README

I'm not a Window's user. Could you try running VP on Linux?

[xcabur1]

@bnfinet Sorry, I have no linux system. I can't find any log files and can't find a description in the readme, which logs you need. But I added the debug output of the logout request, hope that helps. Let me now if you need more.

[xcabur1]

@bnfinet I also provided the nginx log. It looks like the id_token_hint is not provided in the /logout request as descriped in #258

[tmatilai]

Seems that the token is not stored after #298 (#287). Works after configuring a header for it with the vouch.headers.idtoken.

[bnfinet]

@tmatilai nice catch! Can you please post a working config here?

@martindb FYI ^^

I think this a documentation bug that could be handled with a note in config.yml_example that links to this issue, perhaps along with a log message during config if either oauth.end_session_endpoint or post_logout_redirect_uris is set.

Otherwise we get into something like... If oauth.end_session_endpoint or post_logout_redirect_uris
is configured, the idtoken will be carried in the cookie. Not sure that's wise to autoconfigure. Plus it runs counter to the goal of #287, which was to keep the VP cookie small.

[tmatilai]

Can you please post a working config here?

The example config for Okta seems correct (except you have to drop default/ part from the URLs unless using API Access Management), and then just uncomment the idtoken line.

I actually played with Docker and env vars:

OAUTH_PROVIDER: oidc
OAUTH_CLIENT_ID: $OKTA_CLIENT_ID
OAUTH_CLIENT_SECRET: $OKTA_CLIENT_SECRET
OAUTH_AUTH_URL: $OKTA_OAUTH_BASE_URL/authorize
OAUTH_TOKEN_URL: $OKTA_OAUTH_BASE_URL/token
OAUTH_USER_INFO_URL: $OKTA_OAUTH_BASE_URL/userinfo
OAUTH_END_SESSION_ENDPOINT: $OKTA_OAUTH_BASE_URL/logout
OAUTH_SCOPES: openid,email,profile
OAUTH_CALLBACK_URL: https://$SERVER_NAME/auth

VOUCH_DOMAINS: $VOUCH_DOMAIN
VOUCH_HEADERS_IDTOKEN: X-Vouch-IdP-IdToken
VOUCH_POST_LOGOUT_REDIRECT_URIS: $OKTA_BASE_URL
VOUCH_JWT_MAXAGE: 5