Can you revoke an Okta Session from a backend API?

Naive question:

I have a front-end UI that uses the okta-auth-js SDK. Is there any way I can make an API request to my backend server, which uses the okta-java-sdk to close the session via SessionApi.revokeSession(sessionId)? I’m not sure how to get the sessionId in my backend server since it’s an HTTP only cookie and I created the session from my front-end using the auth-js sdk.

Interestingly, I manually copied to HTTP session cookie from my browser into Postman and called DELETE sessions/${sessionId} and it gave a 204, but my user was still logged in. Why would that be the case?

In general, how could I close the Okta session from the backend and have it log my user out in the front end?

if you run in your browser GET /api/v1/sessions/me documented here and then pass your session id to your backend, then your backend can terminate it

Use of the Sessions API has a caveat in that it is more limited in Okta Identity Engine, more information here: Understand how sessions work after the upgrade | Okta Developer

1 Like

Yup, thx for the heads up @andrea , totally forgot about this thing!

1 Like

Just checked back in on this and noticed that the My Session Management endpoints link that appears on the docs page you sent (Understand how sessions work after the upgrade | Okta Developer ) opens to the old api//v1/sessions/{sessionId} endpoints, not the latest api/v1/sessions/me endpoint(s) as it is implying it should. I can’t find mention of the sessions/me endpoint in that API doc page.

Here is answer of your question what I know, lee me know if this will help you or not.

To close an Okta session from the backend and log the user out in the frontend, initiate communication between them. Frontend sends a request to the backend with session identifier. Backend then uses Okta’s SessionApi.revokeSession(sessionId) to revoke the session, and your frontend should clear its own session and update the UI accordingly.

For anyone who stumbles upon this later, our docs have been corrected and the /sessions/me endpoint is listed in our Sessions API docs, e.g. Close Current Session | Okta Developer