Clearing Okta session SID cookie from the browser

Questions OAuth/OIDC
1

I have an SPA OIDC app configured in our custom tenant for auth code pkce flow. I get a session token from Okta’s authn url /api/v1/authn. I then use this session token to kick off the OIDC flow.

   this.oktaAuth.token.getWithoutPrompt({
      sessionToken : this.state.sessionToken
    }).then(response => {
      console.log("OKTA tokens from session token");
      this.setState({
        accessToken : response.tokens.accessToken.accessToken,
        refreshToken : response.tokens.refreshToken.refreshToken
      })
    })
    .catch(function(err) {
      console.log('err - getTokenWithoutPromptWithSessionToken: ' + err)
      console.log(err)

    });

I have the below code base to logout the user. The access and refresh tokens are revoked but not the Okta sid cookie. When the session token of a different identity gets passed in getWithoutPrompt, I am getting OIDC tokens associated to the prior user logged in. It seems like getWithoutPrompt is taking Okta sid cookie as a precedence then the session token.

oktaAuth.revokeAccessToken();
oktaAuth.revokeRefreshToken();

oktaAuth
	.closeSession()
	.then((response) => {
	     console.log('closeSession' + response);
	  })
	.catch((e) => {
			if (e.xhr && e.xhr.status === 429) {
					console.log('closeSessionIssue' + e.xhr);
			}
	});

Is signout() more suitable to revoke OIDC tokens and Okta sid cookie ?

2

Yes, signOut() with default options will revoke the access token and refresh token for you.

It makes a request to the /logout endpoint which will also remove the Okta browser session.

2 Likes
3

So I have the below code base for signout(). It does delete the Okta sid cookie but not the Okta access token. When I call the introspect url oauth2/{{customAuthzServer}}/v1/introspect my access token is still active.

    this.oktaAuth.signOut({
      postLogoutRedirectUri: 'https://localhost.test.example.com:3000/login-ui/refresh'
    });
4

If you inspect the network requests via the browser developer tools, are you able to see the /revoke requests?

5

No its not calling revoke. But its calling https://{customAuthzDomain}/api/v1/sessions/me, DELETE method.

Revoke would be the appropriate call based on the docs.

6

Also, if revoke and then logout is called, it deletes the sid and revokes the access and refresh token. In the logout url, it has the id_token as per below. Is the id_token picked from local token manager, or Okta knows about the id_token based on Okta sid cookie ?

(https://{customOktaDomain}/oauth2/{authZServer}/v1/logout?id_token_hint={id_token}&post_logout_redirect_uri=https://localhost.example.com:3000/callback)
7

It is the id_token from tokenManager which I believe defaults to localstorage.

8

I have the tokenManager set to

tokenManager: {
			storage: sessionStorage, 
		},
9

So under what situation does /revoke and /logout gets called as compared to DELETE method on sessions/me through sign out method in okta auth js Sdk?

10

The DELETE call to /sessions/me is the fallback option when /logout can not be used, such as if tokens are not found in storage.

11

So can I call /logout directly from my javascript app and use it to revoke OIDC tokens or call /revoke endpoint directly from javascript with access token of the identity? Or is there any other way to revoke the tokens from my javascript ? Also, I tried oktaAuth.revokeRefreshToken and oktaAuth.revokeAccessToken it didnt work for me. In our SPA, when a user clicks logout, it goes to downstream service to delete additional company wide token and it redirects back to our UI logout page. I think when it redirects, the token manager is lost and hence oktaAuth.revokeRefreshToken and oktaAuth.revokeAccessToken dont work.

12

You can call /logout manually but it won’t revoke the tokens, it would only clear your Okta browser session.

If you move oktaAuth.revokeRefreshToken and oktaAuth.revokeAccessToken before the the redirect occurs, does it still fail?

1 Like
13

Yes,it does fail.

So in my case once the OIDC flow is successful in our login SPA it redirects to another UI (lets say SPA Z)within our company. If the user wants to logout, it (SPA Z) calls our backend service to revoke the company wide SSO token and then the backend service redirects to login SPA /logout page. I think because it redirects back to login SPA app, we dont have TokenManager where the OIDC tokens are accessible.

So one solution I tried is, once the OIDC flow is successful, my login SPA app stores the access and refresh token object in local storage and when the login SPA is accessed for logout operation from another UI, it accesses the access and refresh token object from local storage and passes it in oktaAuth.signOut() method. Also, calling the signOut() deletes the Okta session (ie sid cookie).

oktaAuth.signOut({
        accessToken: JSON.parse(localStorage.getItem('accessToken')),
        refreshToken: JSON.parse(localStorage.getItem('refreshToken')),
        postLogoutRedirectUri: myDomain + '/loginUi/logout/',
});

OR another way to revoke access and refresh tokens

oktaAuth.revokeRefreshToken(refreshToken)
oktaAuth.revokeRefreshToken(accessToken)

Please do let me know if there is any other way