Delete /api/v1/users/${userId}/sessions with accessToken

abhigts1 · July 6, 2023, 12:52am

I am trying to call '/api/v1/users/${userId}/sessions’ delete API in .net6. I captured the access token during OpenIdConnectEvents.OnTokenValidated.
When I try to call it via the API token, it works fine. But if I am trying to use the accessToken, I get a 403 error stating invalid session. What could be the reason to it.

{
    "errorCode": "E0000005",
    "errorSummary": "Invalid session",
    "errorLink": "E0000005",
    "errorId": "oael83e1QQxSNuHOlE0VkqBuA",
    "errorCauses": []
}

andrea · July 6, 2023, 8:41pm

This endpoint requires Admin permissions, so if the token you are using was issued to an end user, the call will fail.

abhigts1 · July 7, 2023, 1:45am

This brings me back to where I started. So basically in our identity Server we use an upstream Identity Provider which can be okta. Now I want to sign out a user from okta. I want to do this only on c# and not in the client side. This functionality should not be restricted to admins as users too should be able to logout.

Things I have tried -

Capturing the token during login (but on decoding the token, scopes is not present in it)
Trying to generate a new token via clientCredentials flow but get the same error there.

Could you please help me with this?