Angular SPA Redirect Model, Log user out of UI after being removed from Okta group

Hi All,

I’m new to Angular, and Okta, but I was tasked with integrating Okta auth into our SPA.
I have followed this guide Sign users in to your SPA using the redirect model | Okta Developer to a tee.
One of the requirements to access our UI with Okta, is that user has to belong to a certain group.
Everything works as it should, but I’m having the following issue. If I remove the user from that group, they still have access to UI while their session is still active. Only if the user logs out by their own accord, will their access to UI be restricted.
The desired behavior would be that after I remove user from group, even if they are logged in, they will be logged out of the app automatically, or their access will be revoked somehow.

From what I understand, I may need to use refresh tokens to implement this behavior, but I have no idea what I would need to change in my implementation. Apparently this refresh should be done automatically, behind the scene, but I don’t know why it’s not happening.

I have set up grant type to Refresh Token and other Refresh Token related settings on Okta side.
And this is my request:

export const oktaAuth = new OktaAuth({
  issuer: `https://${environment.oktaDomain}/oauth2/default`,
  clientId: environment.clientId,
  redirectUri: window.location.origin + '/okta/callback',
  scopes: ['openid', 'offline_access'],
  pkce: true,
  responseType: ['id_token', 'token']

Can someone please provide me with some example I need to follow, or some way to achieve my desired outcome?

Thank you!


This type of functionality is not part of any of the SDKs, nor is it part of OAuth/OIDC spec (that I am aware of).
I assume the way it works now is users are assigned to the OAuth application in Okta via group membership. When a user that has access to the app is removed from the group the next time they try to authorize into the application it will fail.
The above will work for new sessions.

It will not work with refresh_tokens though. With a refresh_token a user does the initial authorize into the application which checks for access. Assuming they have access tokens including a refresh token is minted for that user. When a new access_token is required a token call is made with the refresh_token. This process does not go through the authorization process again. So even if a user was removed from the group assigned to the application they would still be able to refresh their tokens until the lifetime of the refresh_token ends, or their refresh_token is revoked.

One option would be to set a short lived expiry time for the access_token and instead of using a refresh_token let the SDK authorize back into the application each time the token expires. This way if the user is removed from the group assigned to the application the authorize call will fail. There are some potential drawbacks to this approach such as the need to enable 3rd party cookies if the Okta Org and the application are not running in the same parent domain.
Another potential option would be to use a groups claim in the id/access token and have your application verify the user is a member of a specific group each time a new token is retrieved. This way a refresh_token could be used.
There are other potential solutions you could use as well, each with advantages/disadvantages.

Whatever approach you use some helpful links are:

  • Run auth-js as a service to enable token auto renew. With the Okta Angular SDK auth-js should already be running as a service I believe?
  • TokenManager.on() callbacks to add custom logic such as when a new token is retrieved or right before expiration.

Thank You,

To add another option to the list, if you’re removing them from the group through some kind of administrative app , you could force logout using Clear User Sessions Users | Okta Developer which gets rid of all cookies and tokens (nuclear sign-out option). They would have to login again.

You may also be able to use an Okta workflow or hook if you’re doing this via the Okta admin console and don’t have your own admin app.