Currently, absolute timeout is supported in Okta for the Okta Session. The feature isn’t exposed in the admin portal, but you can configure it via an API call. What I would like is that when this timeout occurs, and the user’s session is terminated, their refresh tokens should also be terminated. That way we can implement an absolute timeout for OIDC/OAuth applications.
As discussed in this thread as well, Okta does not support single logout from external service providers when user logs out of Okta.
It sounds like your use case is a little different though. Unfortunately I do not see any way to key off the user’s session expiring, but something that may work on your end is to check if the user still has an active Okta session before refreshing their tokens. If there was an event triggering the log out (such as user logging out of Okta), you could look into using Event Hooks triggered by the user.session.start to revoke a user’s refresh tokens.
if the Event Hooks solution I mentioned is of interest, there would need to be an event available to use with the hook. You can file a request on our Ideas site to have this event captured in the system log to facilitate it
Thanks for the replies. I actually found a solution for this issue here: How to implement an absolute timeout for OIDC/OAuth applications?
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.