Clear User Session - Oauth tokens can not be revoked

erwang732 · November 30, 2017, 11:58pm

Hi,

I am trying to use Users Sessions api ( /api/v1/users/:uid/sessions) to clear all the sessions of user and revoke Oauth tokens at the same time.

The problem is that user’s sessions are destroyed but the Oauth tokens are not revoked.

This api is described here in the documentation:

The request headers are like this:

DELETE /api/v1/users/{uid}/sessions/?oauthTokens=true HTTP/1.1
Host: myorg.oktapreview.com
Accept: application/json
Content-Type: multipart/form-data;
Authorization: SSWS {apiKey}
Cache-Control: no-cache
Postman-Token: 4c331971-08bd-e696-c55f-835d3833d9fb

Do you guys have any idea about this?

Thanks a lot!

tom · December 1, 2017, 9:47pm

Hmm, how are you verifying that the user’s tokens are revoked? Are you using the token introspection endpoint? Or using a JWT verifier library?

erwang732 · December 1, 2017, 11:20pm

I am using Okta’s introspection endpoint.

tom · December 4, 2017, 3:36pm

What response are you getting back from the introspection endpoint? Just want to make sure I’m not missing anything here.

erwang732 · December 4, 2017, 6:42pm

The response is 204 No Content. After I called the introspection endpoint, user’s sessions were destroyed but the OAuth tokens were not revoked.