How do I kill a Session on Demand?

I need to be able to effectively sign an account out of our application on demand to test a problem we’re having in our Angular (v9) application that’s using Okta (okta-angular). I was trying to use the “Close Session” API call (https://developer.okta.com/docs/reference/api/sessions/#close-session) using “curl” which appears to work as it returns a “204” (it returns a 404 if the session isn’t found). However it does not result in the user being signed out of the application. If we reload the application in the web browser, it reloads without showing the sign on view as expected.

The main problem we’re trying to troubleshoot is that the user’s session appears to be expiring (either through timeout or some other means), then when they attempt an operation in the application that initiates a REST call to the back-end (protected by Okta) it throws an error from the HTTP interceptor saying they’re not authenticated. We’re using the basic bearer token pattern found in the getting started documentation.

If anyone can help with killing a session on demand so I can troubleshoot this issue, I’d appreciate it. If someone already knows a good solution for this problem in the HTTP interceptor, I’d be equally grateful.

Thank you,

– Matthew

Did you check this one? https://developer.okta.com/docs/guides/sign-users-out/angular/sign-out-of-okta/

This is the standard “log me out” method. This performs a redirect, that in Angular actually reloads the application. What I need is the ability to externally invalidate the session so I can test the scenario where a users session expires either while they are using the application or after they’ve left it idle for a long period of time. It must be external to the user’s experience. Thank you though.

You can always open okta tenant url and sign your user out in a different tab of the same browser. That will destroy the session cookie. Another approach is to set a session lifetime to 5-10 minutes and try your app action after that

I’m not sure what you mean by “okta tenant url”. I tried a few searches for that phrase and the results were inconsistent. I think get the general idea of what you’re saying though. To be able to test this issue I must expire this session completely external to the user. It cannot be in the same browser. I’d prefer the solution to not even be on the same machine, but that’s not a requirement. I don’t think I can attempt the shorter session time as I don’t have that level of access to the Okta admin panel. Additionally, wouldn’t that affect all users? I’m in an environment where I don’t think I can do that, but I will look into it.

Tangentially… I know I have a lot to learn about Okta. I’m finding Okta in general to be quite difficult conceptually. To me it seems like terminating a users session on demand should be simple. Even reading the API, the “Clear Session” call as described, should be doing it, however it doesn’t even though it returns a success status code. Do you, or anyone else, have any recommended educational materials you could point me toward? Something other than the Okta developer docs? It doesn’t matter what language or SDK, I have experience with everything listed except for “Go”.

Thank you.

Aside from using the /logout endpoint to end the users session in an OIDC app (this will result in a redirect), you can manually make a call to the Sessions endpoint to delete a users session via its session id (which you can get with a /sessions/me request) or via CORS in the same browser the user has a session.

As far as guides go, the one @phi1ipp linked to discusses the two different types of sessions a user can have and how to end each of them (they are handled independently so that if a user logs out of an OpenID Connect app, they are not automatically logged out of Okta unless you tell it otherwise): Sign users out