Test steps using postman:
1.
Get id token, access token, refresh token for a user via password credentials grant type:
https://dev-xxxxxx.oktapreview.com/oauth2/default/v1/token
2.
Save the 3 tokens in notepad.
3.
Get new set of id token, access token, refresh token for the same user via password credentials grant type:
https://dev-xxxxxx.oktapreview.com/oauth2/default/v1/token
4.
Save the new set of 3 tokens in notepad.
5.
Invoke as per Users | Okta Developer
https://dev-xxxxxx.oktapreview.com/api/v1/users/${userId}/sessions?oauthTokens=true
Expected result as per Okta doc:
All tokens for the user obtained via steps 1 and 3 revoked. All Okta sessions for the user blown away.
Actual result verified by invoking:
https://dev-xxxxxx.oktapreview.com/oauth2/default/v1/introspect
Access and refresh tokens obtained in steps 1 and 3 revoked.
Id tokens obtained in steps 1 and 3 still return active, which indicate that the user’s Okta sessions have still not been blown away.
Could an Okta Engineer please conduct a similar postman test and confirm to me that this is not a bug since the doc says that ALL the user’s sessions will be cleared?
Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
I have also given the following early access feature a test drive:
Again, this feature only has the provision to revoke all refresh tokens, which also effectively revokes all associated access tokens to the revoke tokens.
Great all access and refresh tokens revoked, but here again I am not getting what I want, which is to also blow away all a user’s Okta sessions (id tokens) as well.
Thanks,
Kapil.