Let’s assume one user A has been assigned with App1 and App2 under the OIDC style.
The scene observed currently:
If user A login into App1, he will be considered as login from App2’s point of view. But after user A logged out from App1, he is still considered as logged in from App2’s point of view
The behaviour expected:
If user A login in into App1, he will be considered as login from App2’s point of view., After user A logged out from App1, he should be considered as logged out from all assigned Apps including App 2.
Please help with how to achieve it if supported by okta.
However, it should be noted that, unless your application is introspecting the user’s tokens upon usage or ensuring they have an active Okta session, they will not be logged out of any other OIDC applications automatically, as the application itself is likely storing their tokens for their local session.
The only way to check if a user’s tokens are revoked is to make a call to the /introspect endpoint; it’s also worth noting that invoking a strategy such as this may result in the application exceeding your rate limits.
Thanks much for the reply,
as [DELETE /api/v1/users/{{userId}}/sessions?oauthTokens=true] and other API invocations need APIKEY or other secret, so it requires the server side to initiate this invocation instead of JS logic inside the SPA.
Correct, this call requires admin credentials in the form of an API key and there is no way to do this as the user (without an APIKEY) without making separate /revoke and /logout calls from the individual OIDC applications.
/introspect and /revoke end point seems needs client_id and client_secret, but mine is an SPA in Okta, how could I get the client_secret for it, or should I have another way to invoke these endpoints with ‘api token’
Generally my question is for a SPA app in Okta, what would be the way to invoke /intrspect and /revoke endpoints since they are asking for client_id and client_secret.
Client authentication is a little different when your app doesn’t have a client secret.
If you’re working with an app configured for PKCE, you will need to pass the client_id in the body of your /revoke or /introspect request instead of as part of the Base64 encoded clientId:clientSecret auth header (you can actually just remove the Authorization header entirely)