l9lys (l9lys) asked a question.
Hello, just looking for peer review of the following, since I'm relatively new to Okta. Advice appreciated in advance.
Here is the background: We have paid for Okta and are setting it up to use in a scenario where we have at least two applications, a main application (call this "main") and a few related applications (such as our "social" app). Everything is a web app. We would like people to sign-in at a common login screen and then sign-out from any number of places, but for all apps (main and social) to know about it when they do. Any user of "main" is a user of "social" (i.e., we have no need to restrict people to "social").
Ideally: We would use the sign-in widget hosted on "main" for the common login screen. Users who went directly to "social" without having been authenticated first would be redirected to this common screen, which upon login would redirect back to the "social" page that triggered the identity check in the first place. Logging out from either social or main would trigger the invalidation of access tokens to either. When logged in, we prefer our user have access to "main" and "social", but we would prefer they not be able to go to <domain>.okta.com and see their profile on Okta.
Questions:
1) Should we create one or two apps in Okta? One seems to make the most sense, but I'm curious if anyone thinks otherwise.
2) Our flow would be: user signs into common screen on main, posts authorization code to main (say to main/auth), which in turn runs server side code to obtain OIDC access, ID, and refresh tokens, using client secret. We cache these tokens. We now know that user has authenticated and we know when access should expire. Since we (hope to) control the logout experience, we can always invalidate these later ourselves. Am I right?
3) We will occassionally use refresh token to renew access token and get updated refresh token. Does this seem reasonable?
4) When user logs out of either "social" or "main", it would ideally call main/logout. This would call an Okta API to delete all user sessions and also dump the cache of access/ID/refresh tokens. One issue here is that "social" is not an app we've built and they want to integrate using Oauth2 JWT SSO. I do not know enough about OAuth2, but how can we force such an integtration to notify us upon logout? I do not mind if they don't call us directly, but I'm hoping that at least Okta will subsequently call us, is that possible?
5) How do we prevent the user from accessing Okta.com and seeing their profile while logged in?
If you have any other suggestions about *how* we should do this that differs from the above, I would sure appreciate the input.
Thanks very much
Roger,
To briefly answer your questions:
1) You should only need to create one application in Okta, so that your social app relies on session existence from the main app.
2) Yes, you can use the endpoints to revoke the tokens or rely on a logout method from an Okta SDK.
3) Yes.
4) You can add event hooks to certain events, https://developer.okta.com/docs/reference/api/event-types/?q=event-hook-eligible. You cannot add them to token revocation, but you can add them to user logout, user.session.end
5) There is no way to prevent users from accessing the okta.com domain while logged in.
-- Andrea