NakkaJ.87076 (Customer) asked a question.
How can I sign a user out of all the active sessions?
As part of logout first we are calling the Revoke URL, followed by invoking Logout URL . however this approach clear current application session not the other application which are also using same user session. tried with "Single Logout" option mentioned on the documentation by enabling the options "Front-channel Single Logout and Front-channel Single Logout for IdPs", still no use.
Revoke URL : "https:/yourOktaDomain/oauth2/id/v1/revoke"
Logout URL : "https://yourOktaDomain/oauth2/v1/logout?
id_token_hint=idToken&post_logout_redirect_uri=configuredPostLogoutRedirectUri"
Documentaion : "https://developer.okta.com/docs/guides/single-logout/oktaoidc/main/"
@NakkaJ.87076 (Customer) you can use the API documented here to clear all sessions from all devices
https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions
You can also clear oauth tokens as well passing the parameter oauthTokens=true
I have tried the provided solution i am getting 403 error code saying invalid session, Please review and let me know anything is missing.
I have generated the API key in Security -> API section, created token and it generated one time token which i noted and pass as part of apiKey. And logged in UserID as smapleUserID.
API call :
String host = "https://";
String userId = "smapleUserID";
String yourOktaDomain = "somedomain.okta.com";
String pathname = yourOktaDomain + "/api/v1/users/" + userId + "/sessions";
String apiKey = "Api_Key_generated_from_SECURITY_API_Section";
try {
URL url = new URL(host + pathname);
ELSLog.i(TAG, "revokeOktaSession....url : "+url);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
// Set up the connection properties
connection.setRequestMethod("DELETE");
connection.setRequestProperty("Authorization", apiKey);
connection.setRequestProperty("Accept", "application/json");
connection.setRequestProperty("content-type", "application/json; charset=UTF-8");
connection.setConnectTimeout(10000);
connection.setReadTimeout(10000);
connection.setDoOutput(true);
// Establish the connection and get response
int responseCode = connection.getResponseCode();
BufferedReader in = new BufferedReader(new InputStreamReader(
responseCode >= 200 && responseCode < 400 ?
connection.getInputStream() : connection.getErrorStream()));
String inputLine;
StringBuilder response = new StringBuilder();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println("Response Code: " + responseCode);
System.out.println("Response Body: " + response.toString());
} catch (Exception e) {
Response :
revokeOktaSession....: responseCode : 403
revokeOktaSession....: response : {"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"oaeydCD3yUWS42p4rnIbg4bMg","errorCauses":[]}
@NakkaJ.87076 (Customer)
Can you try adding SSWS in authorization header.
"SSWS {{api_key}}"
Request change:
connection.setRequestMethod("DELETE");
connection.setRequestProperty("Authorization", "SSWS "+ apiKey);
connection.setRequestProperty("Accept", "application/json");
connection.setRequestProperty("content-type", "application/json; charset=UTF-8");
connection.setConnectTimeout(10000);
connection.setReadTimeout(10000);
connection.setDoOutput(true);
Response :
revokeOktaSession....: responseCode : 404
revokeOktaSession....: response : {"errorCode":"E0000007","errorSummary":"Not found: Resource not found: UserID (User)","errorLink":"E0000007","errorId":"oaebGk9zVAxSLGoT8StMWwcvA","errorCauses":[]}
@RohitU.50441 (Trevonix) this Now its working in case of User id i was passing mail id, instead of uniuqe ID, now its working.
Cloud you please confirm whether API is free to use or paid one?
https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions
The integrator tenant comes with APIs for free but rate limits will be applicable
Thanks for the update, any reference for the rate limit?
You should be able to see that in the response header.
More information here
https://developer.okta.com/docs/reference/rate-limits/
revokeUserSessions clears the user session from all the device, however in my use case current device user session need be removed if any other application on the same device uses the same user session.
i tried the below, but getting 403 response
Request :
private void delete_sessions() {
ELSLog.i(TAG, "delete_sessions....");
String host = "https://";
String userId = "User_ID";
String yourOktaDomain = "somesample.okta.com";
String pathname = yourOktaDomain + "/api/v1/users/me/lifecycle/delete_sessions";
String apiKey = "API_KEY";
String payload = "{\n \"keepCurrent\": false\n}";
try {
URL url = new URL(host + pathname);
ELSLog.i(TAG, "revokeOktaSession....url : "+url);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
// Set up the connection properties
connection.setRequestMethod("POST");
connection.setRequestProperty("Authorization", "SSWS "+ apiKey);
connection.setRequestProperty("Accept", "application/json");
connection.setRequestProperty("content-type", "application/json; charset=UTF-8");
connection.setConnectTimeout(10000);
connection.setReadTimeout(10000);
connection.setDoOutput(true);
try (OutputStream os = connection.getOutputStream()) {
byte[] input = payload.getBytes(StandardCharsets.UTF_8);
os.write(input, 0, input.length);
}
// Establish the connection and get response
int responseCode = connection.getResponseCode();
BufferedReader in = new BufferedReader(new InputStreamReader(
responseCode >= 200 && responseCode < 400 ?
connection.getInputStream() : connection.getErrorStream()));
String inputLine;
StringBuilder response = new StringBuilder();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println("Response Code: " + responseCode);
System.out.println("Response Body: " + response.toString());
} catch (Exception e) {
System.out.println("Exception: " + e.getMessage());
}
Response :
delete_sessions....: responseCode : 403
delete_sessions....: response : {"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"oaej1ECN_7oTOmxtaOWp6HU1g","errorCauses":[]}
@NakkaJ.87076 (Customer)
Sessions depends on many things.
When you say application session, how are these session established? You can always clear Okta's session on the same browser, here is the sample.
https://developer.okta.com/docs/guides/sign-users-out/react/main/
If the applications are in your control, you can code the app to check Okta's session before token validation.
If the applications are SaaS with saml they need to support SLO since okta only support SLO.
There are a lot more nuance to logging out of applications. You may need to articulate what you are trying to achieve to suggest a working method.