This article explains why OpenID Connect (OIDC) and OAuth refresh and access tokens become inactive after a user selects the End all sessions button from their dashboard. This behavior occurs even if the tokens have not expired.
Okta Identity Engine
Okta Classic Engine
-
Session Management
- End all sessions
- Sign me out of all other devices
- OAuth
- OIDC
The End all sessions function on the dashboard triggers the /idp/myaccount/sessions API endpoint. As documented in the Sessions API documentation, the designed function of this endpoint is to delete all user sessions, revoke all active identity provider (IdP) sessions, and revoke all OIDC and OAuth refresh and access tokens issued to the user. This behavior is not configurable.
This behavior is not currently configurable. To submit an idea as a feature request for consideration in the Okta Product Roadmap, refer to the following article for more information about Okta Ideas on How to Submit a Feature or Enhancement Request using Okta Ideas article.
The following workarounds can mitigate this issue:
-
Educate users to avoid selecting the End all sessions button unless they suspect their account is compromised.
-
Use separate user accounts for API request authorization to isolate tokens from user dashboard sessions.
