OIDC Logout fails with Okta (and other providers) that require id_token_hint - 400 Bad Request #1274
Description
Description
When using an external OIDC provider (e.g., Okta with a custom authorization server), logout fails with a 400 Bad Request error because the id_token_hint parameter is not included in the logout request.
Environment:
- Squidex version: 7.x
- OIDC Provider: Okta (custom authorization server)
- Configuration: SaveTokens = true is set in OidcServices.cs
Steps to Reproduce:
- Configure Squidex with an external OIDC provider (Okta)
- Login via Okta successfully
- Click logout
- Observe 400 Bad Request from Okta's /oauth2/default/v1/logout endpoint
Expected Behavior:
Logout request should include id_token_hint parameter, and user should be logged out of both Squidex and the OIDC provider.
Actual Behavior:
Logout request URL:
https://{okta-domain}/oauth2/default/v1/logout?post_logout_redirect_uri=...&state=...
Missing: id_token_hint parameter
Okta returns 400 Bad Request because custom authorization servers require id_token_hint.
Root Cause Analysis
The issue is in how Squidex handles the OIDC authentication flow:
- User authenticates with external OIDC provider
- TokenValidated event fires - tokens are available here
- Squidex's AccountController.ExternalCallback creates a local Identity session
- The external OIDC tokens are discarded - they don't persist to the local session
- At logout, GetTokenAsync("id_token") returns null because the local session doesn't have the external tokens
Even with SaveTokens = true, the tokens are only temporarily available during the authentication callback. Once Squidex creates its own session via SignInManager.ExternalLoginSignInAsync(), the external tokens are lost.
Our current solution is to store id_token in a Cookie