AWS ALB and Okta deactivated user

Questions OAuth/OIDC
1

Hi All,

We’ve created Okta App for our website and configured AWS ALB to authenticate users. Everything works fine.

On Okta side our App has following settings:

  • General
    • Client Credentials
      • Client authentication - Client secret
      • Proof Key for Code Exchange (PKCE) - disabled
    • General Settings - Application
      • Application type - Web
      • Proof of possession - disabled
      • Grant type - Authorization code, Refresh Token, Implicit (hybrid)
    • Refresh Token
      • Refresh token behavior - Rotate token after every use
      • Grace period for token rotation - 60 Seconds

From AWS Documentation:

  • If the session timeout is longer than the access token expiration and the IdP supports refresh tokens, the load balancer refreshes the user session each time the access token expires. The load balancer has the user log in again only after the authentication session times out or the refresh flow fails.

So now we’d like to check how we can immediately remove access from App for some user.

  • User is authenticated in App / ALB already.
  • We deactivate user in Okta.
  • User is able to open website still.

On ALB side we can configure only Session Timeout. We tried to set 5 minutes - and even in the next day deactivated user still can open website.

What’s wrong with our configuration? How we can remove access for deactivated users?
Or maybe it’s impossible to handle it with ALB and has to be processed on app side (using refresh tokens or somehow else?)

Thanks!

2

When you deactivate or suspend users in Okta, their sessions are cleared. So the next time you try to login using a UI or in your case trying to get a new set of tokens using refresh_token grant you will get an error like this one

{
    "error": "invalid_grant",
    "error_description": "The refresh token is invalid or expired."
}

The fact that AWS document states it will keep session until refresh flow fails (which is expected for deactivated users). You can check AWS logs on why.

Here are some pointers for troubleshooting this,

  • Check in your system logs whether debugContext.debugData.grantType eq "refresh_token" and target.id eq "00u---------------" is occurring. This might mean the user might be active in Okta.
  • Check validity of access token by decoding token. Here is some useful info. Typically failure is expected to happen after or close to access token expiry in your flow.
  • Check AWS logs on if something else is causing sessions to stay alive.
1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.