ouwck (ouwck) asked a question.
Hello,
I'm having trouble to correctly revoke an access token.
In the FE application we use @okta/okta-react and @okta/okta-signin-widget.
For the BE part we use @okta/okta-sdk-nodejs and @okta/jwt-verifier.
Everything works fine, from login to logout, except for token invalidation. Once user is logged out (using authService.logout) he can't anymore navigate through the website, but, if asking for specific resources from backend using the user assigned access token (where token is validate using OktaJwtVerifier service) the token results still active.
In order to invalidate token I've tried
- using authService.logout with revokeAccessToken set on true and passing the session token to the token field
- calling the revoke endpoint directly (which returns 200);
but in both cases, when calling the verifyAccessToken method of OktaJwtVerifier service with the token - that is supposed to be revoked - it looks like the token has still valid signature.
How can I make sure the user session token is correctly invalidated after signing him out ?
Hello Pasquale,
Feel free to post this question on our Okta Developer Forums: https://devforum.okta.com, and they should be able to help you with this.
Thanks!
Tim
Okta, Inc.