This week I’ve been trying to learn how to externally expire a specific users session with our Angular application. The main purpose of this was to troubleshoot a problem we’re having with expired sessions. However I found it impossible to actually accomplish this task.
To attempt to better understand the issue and simplify things, I created a basic new Angular app and added Okta auth support using the Okta schematics as described in the documentation. The result is extremely simple and only has a basic login button that redirects to a login form, once authenticated you are returned to the application and the “logout” button is visible. Dead simple and it works fine. I found that I couldn’t externally expire the session in the simple application either.
I’ve tried the “Close Session” and “Clear User Sessions” API calls from here and here respectively.
In both cases I could refresh the Angular application and I was still logged in. However, every time I use one of the above methods, it does log me out of the Okta Dashboard for my Okta developer domain. So those calls are doing something, but they don’t seem to be having an effect on my Angular applications…
Am I missing something here? Do I need to do something extra in the Angular configuration to ensure that it’s always validating the session? I’m pretty sure those Clear Session calls are working, but it doesn’t seem like the Angular app is honoring the state. I’m really stuck here and would really appreciate insight that anyone could provide,
Have you figured, how the session is handled in your Angular app? I haven’t tried it, but I have a feeling, that it might be using access token received from Okta or any other mechanism, rather than been tied to Okta session.
We’re not doing anything odd; just what you get right from the Angular instructions in the Okta documentation. We use the OktaAuthGuard for “canActivate” in the Routing module. For API access, again, we’re using code based on the Angular examples in the Okta documentation that uses an HTTP Interceptor to add a bearer token header to API related requests. That token is gained by calling the “getAccessToken()” method of OktaAuthService from the Okta-Angular package. This is all right down the line exactly what is described in the documentation. Authentication works fine and access to the API works fine as long as the bearer token header is inserted (401 is returned otherwise).
I’ve re-created two additional extremely clean reference applications to try to determine where the problem is and in each the results are exactly the same. If I use any external method (Okta API calls using curl) to clear the session, I’m successfully signed out of the Okta Dashboard, but not my Angular application. Refreshing the Angular application does not present a challenge for fresh credentials, and API calls continue to work without generating a 401 status response. The expected behavior would be exactly what I’m seeing from the Okta dashboard. I expect that if I refresh the application I should see the login view, or if I try an API call, I should receive a 401 status response.
Now, are you saying that the generated token and the session are not connected?? Even if that were true, and that alone confuses me, wouldn’t that mean that only the API calls would continue to work? Shouldn’t we still be signed out of the Angular app?
Based on everything I’ve observed so far, I’m definitely missing something fundamental here. Not just on the code side, but with Okta in general. Anything anyone can do to help shove me in the right direction would be seriously appreciated.
@phi1ipp is right, the reason your users are still logged into the Angular application is because you only ended their Okta session, but the Angular SDK checks if a user isAuthenticated by checking if there are tokens for the user available via getToken and getAccessToken, as noted in the docs.
By default, OktaAuthService.isAuthenticated will return true if both getIdToken() and getAccessToken() return a value.
If you want to log users out of the Angular application, the tokens will need to be removed. If the logout is being initiated in the user’s browser, this can be done via the logout method.
If you want to log them out by using a back-end call instead, you can use the Users endpoint to end the user’s Okta session AND revoke all of the user’s refresh and access tokens by setting the oauthTokens parameter as 'true in your request.
Thank you for such a quick reply. When I first read this, I thought it was the answer to my problem, but no such luck. As I’ve said before I must perform this logout completely external to the Angular application. Creating a logout process in the application is easy. I’ve done it, it works fine.
I tried the API method using curl as you described. I was already attempting to use the “Users” endpoint, but without the oauthTokens parameter. After your response, I tried it with the parameter. “…/sessions?oauthTokens=true”. Unfortunately, the results were identical. I receive a 204 as expected, I’m signed out of the Okta Dashboard, as expected, but I am not signed out of the Angular application and API calls continue to function normally.
This should happen instantly, right? Is there another approach for Okta authN/Z I should be using for my Angular application that will mirror the experience I see with the Okta Dashboard? Immediately after killing the session, if I refresh the Okta Dashboard, I’m routed to the Login view. This is what I’m expecting for my application.
@andrea Hi, I’m having the same issue here. I called this API Users | Okta Developer with oauthTokens=TRUE, but it didn’t log out the user. How can I solve this issue. Thanks!
If the goal is to log users out of an application, then the application session is the one that needs clearing. Logging the user out of Okta or just revoking their tokens won’t achieve this, you would need a way to purge the application session (if using our Angular or one of our other JS SDKs, this would involve clearing the tokens from the tokenManager)