Force Session Expiration Cookie

The Okta IdP session (a session cookie on the Okta domain) is separate from the OIDC application session (tokens). They function independently and the expiration of one will not affect the lifetime of the other.

If you want to end a user’s session server-side, you will need to know their session id and make a DELETE to /api/v1/sessions/{{sessionId}}

If you can end it client-side, you can either use the /logout endpoint or make a CORS request to DELETE /api/v1/sessions/me

One way you could get this session ID is to store it within the user’s access tokens via the token inline hook. See this post for how to do that: Validate access token is linked to Okta session - #2 by andrea.

1 Like