I am integrating the Okta Signin Widget with our WordPress portals. We have three portals that I have working when they sign in. Once they are signed into one site they can go to the other two sites without signing in again. My problem is when they sign out of one site, I want them out of the other sites too. I was trying to find an API to call or using Okta Signin Widget to check they are still signed in. What is the best practice to do this?
Your portals can do periodical
/api/v1/sessions/me calls to see if their session with Okta is still valid. If you do a signout from one of your apps, Okta session will be closed and the call above would produce 404
This is a traditional customer identity problem where all apps should be logged out if any one is. Before you deal with your question to see if they are logged in, you need to get them logged out of Okta when they leave an application. You do that with a DELETE call to the sessions API. But then you have two other problems and how you solve them depends on where you are calling the API from:
- Your question: you need to have all the other applications check sessions frequently to see if the user is still logged in. I put this on a timer personally.
- You need to stay logged into Okta as long as the application is being used so SSO does work properly! That is the sessions API too, using a PUT. I put this on the same timer actually.
FYI /api/v1/sessions/me is meant to be used in an AJAX call and uses the session cookie, works on the browser side. You don’t have to do this in REST, you can use the SDK (look for sessions): GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API.
If you are trying to do this from the PHP side look at the session support in the PHP SDK. The API needs the OAuth 2 access token retrieved during login, and I haven’t tried using the PHP SDK that way that so I don’t know f it will work or if you have to do your own REST calls.
Thank you for the input. I moved a checkLogon function into our footer so as a member goes page to page it checks to see if they are still logged on. If not, I send them to our log on page.
I appreciate your help.