By: Keven Lefebvre user 31 Jan 2019 at 10:41 a.m. CST

1 Response

Hi, In our use case, we don't need/use the access token. However, if I don't include it in my requested Response Types (`oxauth/restv1/authorize?response_type=id_token&...`), when I log out (`oxauth/restv1/end_session?id_token_hint={id_token}&post_logout_redirect_uri={logout_uri}`), I'm getting an `invalid_grant_and_session` error. ```json { "error": "invalid_grant_and_session", "error_description": "The provided access token and session state are invalid or were issued to another client.", "reason": "id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided." } ``` Is this a bug?

CentOS 7.5

closed

By Javier Rojas staff 31 Jan 2019 at 7:26 p.m. CST

Copy

Hello Keven, Your call with params id_token_hint and post_logout_redirect_uri should work fine if you are performing a browser redirect because it will include the session_id cookie automatically. I guess you are not performing a browser redirect and on this case you can pass the session_id as parameter (you get the session_id from authorization response): ``` ------------------------------------------------------- REQUEST: ------------------------------------------------------- GET /restv1/end_session?id_token_hint=eyJraWQiOiJmZDgyNjBhZS1hZDg0LTQ1ZGMtYTI2MS0yMGE3NzVjYWQ4ZDAiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2NlLmdsdXUuaW5mbzo4NDQzIiwiYXVkIjoiQCE5MENDLjJFMzguNzc0Qy42MTBCITAwMDEhRkQzQi5CMEEwITAwMDghRkE4RC44RDk4LkQ2RjIuNDU5OSIsImV4cCI6MTU0ODk4NzU2OCwiaWF0IjoxNTQ4OTgzOTY4LCJub25jZSI6ImQxNzMxMGZjLTBmYmMtNDQxNi1iMmUwLWRmODBiYjQ2NTU1MiIsImF1dGhfdGltZSI6MTU0ODk4Mzk2NywiYXRfaGFzaCI6ImI2NmpjaGUyQnZoZlVIejY0X2RWTWciLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJuODZ6bjNQOV9MeUlybUZtOWoxTHEzcTNueVpfaDNYbl9Mb3VWd2s1REhNIn0.RJwibX6PcY6oKvSZHvZyg1wh0yfyjbpi3XyVp4DbG_kkXdIQNTiXqQA2fV4B6xTU0v2c4N0MAMVSaSRyCWsCh3WBH3faVrtCmesR-nkM2k4f5e0WUXAL_Ed73HWPmDj5vvCMV7dLSsEbFfDYjMrulvaXPfeSMDn8wcDFf7TP06wx66Nxm2JnNTZi3AtVBra4-CdorpHT5fPepBkfCQnEykn_sa3H5LR0lG0UbO_3CXsyaJsYEFOANCBIg3jiR2NgjJyBPDZq-1qXRiviYlUqVeB3HW2f6Jpeu9b9UXiyF7rFda65me6imGc2wPLwqDMiDWVy4EQr1UzqKkkov2ju0A&post_logout_redirect_uri=https%3A%2F%2Fclient.example.com%2Fpl&session_id=3ea051df-59c9-47d6-8d44-548bf044d570 HTTP/1.1 Host: ce.gluu.info ------------------------------------------------------- RESPONSE: ------------------------------------------------------- HTTP/1.1 200 Cache-Control: no-transform, no-store Content-Length: 301 Content-Type: text/html Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Server: Jetty(9.4.11.v20180605) Set-Cookie: consent_session_id=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0 <!DOCTYPE html><html><head><pre>window.onload=function() {window.location='https://client.example.com/pl'}</pre><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/><iframe height="0" width="0" src="https://ce.gluu.info:8443/oxauth-rp/home.htm"></iframe></body></html> ``` Best Regards -- Javier

You need to Login in order to post an answer

invalid_grant_and_session when token not included in response_type

By: Keven Lefebvre user 31 Jan 2019 at 10:41 a.m. CST

Answers

By Javier Rojas staff 31 Jan 2019 at 7:26 p.m. CST

Post an answer