Clearing 'okta-token-storage' from local storage not signing out the user i.e., user is not reidrected to login page

We use @okta/okta-auth-js 4.7 and @okta/okta-react 4.6 Okta SDKs in our application for authentication. On login, ‘okta-token-storage’, and ‘okta-cache-storage’ gets added to localStorage by SDKs, and deleting them would log out of the application and redirect to the login page.
Since these versions are deprecated we have upgraded these two packages to the latest versions i.e., @okta/okta-auth-js 7.2.0 and @okta/okta-react 6.7.0 in which, clearing the ‘okta-token-storage’ explicitly from the local storage is not directly back the user to login page. Earlier with older versions, this was the case. Did something change from Okta SDK w.r.t this functionality?

Thanks

Hello,

There has been changes to behavior from 4.x to 7.x, see the migrating doc.

The above migration documentation assumes you are using the SDK exposed functions to do things like log a user out, revoke/remove tokens, etc.

If you are manually clearing local storage of a browser to remove token storage we won’t have behavioral differences between versions documented.

This is not tested since it is not a documented use case of the SDK. Okta suggests to use the appropriate sign out options the SDK exposes.

Thank you,

We have a separate logout button in our UI that calls the SDK’s sign-out method, which works fine

The clearing of ‘okta-token-storage’ from the local storage is added as part of our post deployments tests in which we are facing the above-mentioned issue

You may want to rethink the deployment tests. You never should have been checking for that behavior.

The point of clearing local storage of tokens is to force the application to request new tokens when it needs them, not to land at the login page. It never has been, even in v4 although you could get that behavior. If the application requests a new token and the browser still has a valid Okta session, you should not land at the login page, a new token should be granted without the user noticing.

To abandon the session the “sid” cookie in Okta Classic or the “idx” cookie in Okta Identity Engine needs to be cleared. But that isn’t a cookie on your app, it’s a cookie on the org URL. And that is what the sign out does, it redirects the browser through Okta, clears the cookie, and lands on the logout URL you have configured for the application. Which may redirect you right back to authentication, but it doesn’t have to; lots of applications have a non-logged-in landing page.

1 Like