Syed HishamA.90192 (Customer) asked a question.
How to ensure immediate logout and sessions revocation for a user via APIs?
Hi,
We have the following setup:
- Our SPA uses Okta Sign-In Widget with okta-auth-js and @okta/okta-react.
- On login, access and ID tokens are in the browser(okta-token-storage) via okta auth sdk and we call signInWidget.showSignInToGetTokens({ el }) to get tokens. (no Okta session cookie sid or idx is visible in browser/cookie storage).
- We call oktaAuth.handleLoginRedirect(tokens) on successful login.
Our questions are:
Session creation:
- Is an Okta session (sid or idx) actually being created in this flow?
- If so, why don’t we see it in browser cookie storage or via the UI? Also, on hitting oktaAuth.signOut I see that a DELETE call is being made to /sessions/me endpoint with the sid..how is that possible if no session is being created on okta’s end.
Revoking sessions:
- We tried using /users/{id}/sessions to revoke all sessions after user deletion. It doesn’t seem to log out users immediately.
Immediate logout on user deletion:
- Given our current token-only SPA flow, is there a way to ensure users are immediately logged out when another user deletes them via DELETE user endpoint (basically an admin in our website deleting another user)? Anything to be called as a supplement to ensure that the deleted user's sessions are revoked immediately?
Hello @Syed HishamA.90192 (Customer) , thank you for contacting Okta Community!
I've reviewed our documentation for something relevant. It looks like your question is more appropriate for our dedicated Okta Developer Forum. I advise reaching out via devforum.okta.com as they will have more insight into this topic.
While we'll do our best to answer your questions here, this medium is more inclined towards Okta's core products and features (non-developer work).
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Hi @User17157611498146715886 (Customer Support Online Community and Social Care) Sure
Okta session will get created if the SDK redirects users to /authorize endpoint.
There are two things that defines session here.
Okta's session itself that helps you get new tokens without entering credentials every time (this depends on session and sign on policy)
Token lifetime is what decides the app session . So you need to revoke tokens instead of removing okta session.
When a user is deactivated, they won't be able to login anyways to okta.
What you could do is keep access token to 5 mins. And silently renew tokens every 5 mins. This way when a user is deactivated in okta, the max session they can have is 5 mins and the next silent token request will fail .
Hi @RohitU.50441 (Trevonix) Thank you for the response!
So when the next silent token request fails, would the user get logged out automatically?
Also, is there no direct way to ensure that a user gets logged out/all sessions are revoked when a user is deleted? or no hack around it?
If my understanding is correct, the session that you are referring to here isn't necessarily tied to the user session but rather enables tokens getting fetched silently?
But then I also see that DELETE /sessions/me is invoked when a user signs out with session identifiers..