Clear User Session - Oauth tokens can not be revoked

erwang732 · November 30, 2017, 11:58pm

Hi,

I am trying to use Users Sessions api ( /api/v1/users/:uid/sessions) to clear all the sessions of user and revoke Oauth tokens at the same time.

The problem is that user’s sessions are destroyed but the Oauth tokens are not revoked.

This api is described here in the documentation:

The request headers are like this:

DELETE /api/v1/users/{uid}/sessions/?oauthTokens=true HTTP/1.1
Host: myorg.oktapreview.com
Accept: application/json
Content-Type: multipart/form-data;
Authorization: SSWS {apiKey}
Cache-Control: no-cache
Postman-Token: 4c331971-08bd-e696-c55f-835d3833d9fb

Do you guys have any idea about this?

Thanks a lot!

tom · December 1, 2017, 9:47pm

Hmm, how are you verifying that the user’s tokens are revoked? Are you using the token introspection endpoint? Or using a JWT verifier library?

erwang732 · December 1, 2017, 11:20pm

I am using Okta’s introspection endpoint.

tom · December 4, 2017, 3:36pm

What response are you getting back from the introspection endpoint? Just want to make sure I’m not missing anything here.

erwang732 · December 4, 2017, 6:42pm

The response is 204 No Content. After I called the introspection endpoint, user’s sessions were destroyed but the OAuth tokens were not revoked.

Post		Replies	Views
Clear User Sessions is not clearing id tokens i.e. user's Okta sessions, only clearing access token and refresh token Questions	2	5511	March 22, 2020
Revoke an user access token API	3	1928	February 16, 2024
Which API call should use to clear session from ALL applications. (OIDC Application) OAuth/OIDC	3	2603	February 13, 2024
Clearing Okta session SID cookie from the browser OAuth/OIDC	13	5004	February 12, 2024
Can okta support logout from one assigned app for all assigned apps? Questions	6	3998	June 10, 2020

Clear User Session - Oauth tokens can not be revoked

Related topics