Hey everyone!
I’m creating an SPA and we need the user to be able to sign out from the application without signing out from okta entirely.
What we are trying to achieve is that if the user clicks the logout button they are logged out and the tab closes or you get redirected to the okta dashboard.
I tried following this guide: https://developer.okta.com/docs/guides/sign-users-out/react/main/#sign-users-out-of-your-app
But when I click the logout button the page refreshes and the user is logged right back in.
Am I missing something?
If I use oktaAuth.signOut() the user is correctly signed out but he is also signed out of okta and any other app
Don’t use signOut() if you don’t want the /logout endpoint used to end the user’s Okta session. This method does several of things to completely log the user out, but you only want to do two of them: clear tokens from storage and revoke tokens.
Instead use the functions that signOut calls to do this (same as the guide you linked to):
Now, when you do the clear(), it sounds like your user is automatically getting forced to reauthenticate. Are you clearing their tokens on a SecureRoute where auth is required? Are you attempting to redirect them after you clear the tokens (as the /logout endpoint is handling this for you when you use signOut()) to prevent this re-authentication from occurring/
Thanks for your reply Andrea!
I added revokeAccessToken and revokeRefreshToken and still have the same problem about the user being forced to reauthenticate.
And to answer your question, yes, the tokens are getting cleared on a SecureRoute. We have a common appbar for the entire SPA and when the user clicks on logout the following code gets executed:
const _handleLogout = async () => {
await oktaAuth.revokeAccessToken()
await oktaAuth.revokeRefreshToken()
oktaAuth.tokenManager.clear();
}
I’ve also tried obtaining the tokens first and passing those as parameters like so:
oktaAuth.tokenManager.getTokens().then(async (tokens) => {
await oktaAuth.revokeAccessToken(tokens.accessToken)
await oktaAuth.revokeRefreshToken(tokens.refreshToken)
oktaAuth.tokenManager.clear();
})
Without luck.
The user still gets signed in after signing out.
Should I redirect the user to a non-protected route first? Something like a “Signing out” page. And then clear the tokens?
1 Like
I tried redirecting the user to a “logout page” that it’s outside of the protected routes and then revoking access and refresh tokens with no success. Any more ideas that I can try?
anyone found solution for this? on signout app still not redirected to login page. it is just stuck on logout call back