Hi,
We have the following setup:
-
Our SPA uses Okta Sign-In Widget with okta-auth-js and @okta/okta-react.
-
On login, access and ID tokens are in the browser(okta-token-storage) via okta auth sdk and we call signInWidget.showSignInToGetTokens({ el }) to get tokens. (no Okta session cookie sid or idx is visible in browser/cookie storage).
-
We call oktaAuth.handleLoginRedirect(tokens) on successful login.
Our questions are:
Session creation:
-
Is an Okta session (sid or idx) actually being created in this flow?
-
If so, why don’t we see it in browser cookie storage or via the UI? Also, on hitting oktaAuth.signOut I see that a DELETE call is being made to /sessions/me endpoint with the sid..how is that possible if no session is being created on okta’s end.
Revoking sessions:
- We tried using /users/{id}/sessions to revoke all sessions after user deletion. It doesn’t seem to log out users immediately.
Immediate logout on user deletion:
- Given our current token-only SPA flow, is there a way to ensure users are immediately logged out when another user deletes them via DELETE user endpoint (basically an admin in our website deleting another user)? Anything to be called as a supplement to ensure that the deleted user’s sessions are revoked immediately?