ScottM.73771 (Customer) asked a question.
Hi team. I was hoping to get some clarification around the okta.sessions.manage scope. Is this scope able to manage all Okta sessions in the organization or is it limited/restricted in some way?
The description on this page https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/ implies that it can manage all sessions ("Allows the app to manage all sessions in your Okta organization") however whenever I try to close sessions (https://developer.okta.com/docs/reference/api/sessions/*close-session) with an access token that I have validated is assigned okta.sessions.manage, I get "Not found: Resource not found: <my sessionId> (AppSession)". I have confirmed that the sessionId is valid and active at the time by calling /api/v1/sessions/me under the user I am testing with.
Hi @ScottM.73771 (Customer),
Thank you for posting on the Okta community page!
I have done some research on my end and it seems that this API call requires for the user in question to have a session cookies as the API token isn't allowed to perform this operation.
Could you please check your browser cookie settings and make sure that under Cookies and other site data, the Allow all cookies is selected? I managed to find an article where it mentions the the Google Chrome security settings for the incognito mode, block sites from leveraging the browser cookies for tracking the activity across different sites.
I hope the above information is useful!