API endpoints for a SPA app within Okta since it does not have client_secret info configured

/introspect and /revoke end point seems needs client_id and client_secret, but mine is an SPA in Okta, how could I get the client_secret for it, or should I have another way to invoke these endpoints with ‘api token’

Generally my question is for a SPA app in Okta, what would be the way to invoke /intrspect and /revoke endpoints since they are asking for client_id and client_secret.

Please advise


Why do you want to call these endpoints? What’s the use case you’re trying to solve? The reason I ask is there might be another way to do it.

Glad you asked, right now for our Okta SPA application, if the user open two tabs for the same website, and if the user logout from one tab to terminate the okta session, the other tab is still working fine if the tab is not reloaded, but if refreshing on this tab, it will lead to okta login page, which is good and as expected.

After investigation, the root reason is that the token seemed still valid when the server side validate it from Okta.

I tried to revoke the token(s) used when user logged out from one of the tabs, but it requires client_id and client_secret which our SPA does not have

What should be the way to get over this, thanks!

You might be able to configure your Okta client SDK to store tokens in session storage instead of local storage. Session storage is scoped to the current browser tab whereas local storage spans all tabs.

Thank you so for providing the alternative, I tried with ‘sessionStorage’ for token storage, now it seems different tab will have different token.

But the problem remains since after logout from one tab, does not invalidate the idToken(accessToken), so any API invoked from the SPA to API provider(resource server) is still possible. Only refresh page will lead to okta login page again, but if no refresh for the first tab, the user is still able to get access to resource.

Do we have a way to invalidate token(idToken and accessToken) after logout from okta.

Actually you gave me the idea :slight_smile: Maybe I can use localStorage for this purpose to logout the user from other tabs as well… :). Then this would be a solution without invalidating the Tokens.