Hi Friends,
We are developing an SSO using PKCE, we don’t have access to okta console, the console is managing by our client, we are trying to delete user session, we are using:
https://oktadomain/api/v1/user/user@client.com/sessions?outTokens=true
okta replies with an status 403 Forbiden. in tour documentation we can read, that we have to send header:
Autorization: SSWS ${api_token}
Do we need to use this header and if the answer is yes wich information we have to send.
Thanks in advance
Are you looking to make this call from the users browser? You mentioned your app uses PKCE: is it a SPA and does that mean you do not have a backend you can use to protect an API key?
For OIDC applications, we typically recommend using the /logout endpoint to end a user’s session with Okta. You will need to redirect users to this endpoint, passing along the raw, JWT string of the ID token as the id_token_hint.
The other option you have is dependent on being able to access the Okta session cookie (‘sid’) from your client, which may or may not be possible depending on your Okta tenant (aka, if you have a Custom URL Domain configured) AND your deployment setup (the domain your application is hosted on). More details about how you may run into third party cookie issues found here. If you are not worried about this limitation, you can make a CORS request from your application to DELETE the user’s session (/sessions/me), which simply relies on the Okta session cookie being present in the user’s browser AND it being accessible from your client. Details about the session endpoint found here.