SubramanianR.57217 (Customer) asked a question.
Unable to revoke user session in native android app
1.I used the steps given in:- https://github.com/okta/okta-oidc-android*Sign-in-with-a-browser to sign in to my android app.
2.I used People->more actions->clear session to clear session and access tokens for the logged in user
3.In Okta admin console, the user session is cleared and all tokens revoked.
However, when I use the native app, the clientSession and token are still valid (with default value of 3600 seconds)
My primary use case is to revoke the logged in user session token remotely via Okta console.
Help!
Hello @SubramanianR.57217 (Customer)
I've escalated your question to our Customer Support team. They will respond to you shortly here.
Thanks!
Tim
Okta, Inc.
Hi @SubramanianR.57217 (Customer)
The session in the application is based on the JWT retrieved from Okta, which is valid for 3600 seconds by default. Revoking the tokens from Okta's side will not invalidate the app session as the existing JWT would still be valid and verifiable using the signing keys from the /keys endpoint.
The best solution would be to implement a request method to send the token to the /introspect endpoint of the authorization server from which it was issued and check against Okta if the token is still valid. If the token was revoked from the administrative panel, then Okta will specify that the token is no longer active. Following this response, you can trigger client.getSessionClient().clear(); to remove the tokens from the application.
Dragos Gaftoneanu
Developer Support Engineer
Okta Global Customer Care