This article discusses the solution for handling active Access tokens and Refresh Tokens after using the /logout endpoint to sign users out and the necessity of calling the /revoke endpoint to revoke access tokens.
- OpenID Connect
- Oauth Tokens
- Logging users out
There are a few differences between logout and revoke:
- Revoke Token: Makes sure that the user's Access and Refresh Tokens are invalidated, preventing further use in
userinfoendpoint. - Logout Endpoint: Terminate Okta session.
The tokens remain valid even after logout due to the absence of token revocation. In Okta, hitting /logout only clears the cookies from the Okta session (e.g., browser storage or cookies used by Okta on its server side) but does not invalidate already issued Access, or Refresh tokens on the Okta server. If the tokens have a long expiration time and revocation was not triggered, they can still be used to access /userinfo endpoint until they expire.
A separate call to the /revoke endpoint is needed to invalidate the access token (and refresh token, if applicable).
Okta SDKs often combine these steps in a single method. For example, the okta-auth-js library signout() method ends the user's Okta and application sessions and, with the default settings, revokes the user's access and refresh tokens.
NOTE: This article does not cover Native Single Sign-On (SSO) and applies only to OAuth flows.
