When a user tries to access my application, they are redirected to Okta for login, and after authentication, they are redirected back to my application as expected. If they logout of my application, we call the SignOut() method and they are signed out of our application and signed out of Okta.
The problem is when a user opens the Okta dashboard in a new tab, and clicks Logout from the Okta dashboard. They are then sent back to the Okta login screen, however, they are still able to access the application without needing to sign back in.
What’s the best practice to handle a logout action from the Okta dashboard when the user already has a valid cookie for the ASP.NET MVC application?
Why do you care if user logged out of Okta? Establish your application session policy to be equal to Okta session lifetime, if you are too concerned. You can do that on Okta side by restricting access_token lifetime. Otherwise you will have to go to Okta on every user’s request, just to check if they already signed out. If you don’t mind paying this price, that’s the way to achieve it (depending on the side, where you chose to do that, you may need to share client session id from your front end to your backend). What if Okta allows a session of 8 hours? Will you allow user to have the same lengthy session in your application too?
Those are just my thoughts and questions for you to consider.
Thanks for your reply @phi1ipp. I agree with you that if an authenticated user has established access to the application, it’s not a big concern if they log out of Okta. For my specific use case though, this is seen as a security risk. The requirement for our application is on every server request to make sure the user is still logged into Okta and still has the same claims. Do you have any reference documentation you can point me to for creating a client session id on login to application and tracking it throughout it’s lifetime?
You don’t need “create” it. As soon as your user has authenticated themself to Okta, a session is established with Okta. You can hit /api/v1/session/me from a browser to check if session is still active. It can get you session id, which you can share with your server, for the latter to check if user’s session is still active with Okta.
Google for Okta Session API to go into more details
After I login to Okta, I can open a new tab and hit the “/api/v1/session/me” endpoint and get a successful response as suggested. However, if I try to make the same request from the back-end code in the ASP.NET application, it comes back with the “Resource not found” response. Is there a recommended approach for making the call to the “/api/v1/sessions/me” endpoint from the back-end C# code in the ASP.NET application?
In regards to checking if the session is still active by using the session id from the “/api/v1/sessions/me” endpoint, my assumption is that this would be done using the Okta API which requires and API Token created at the Okta org. In our use case, the client controls the Okta org and is not willing to give us an API Token due to security concern.
If you don’t have access to API token, I’m not sure what else you can do. The only way would rely upon your front-end, which is surely is not reliable at all.
I’m sorry, but you in between a rock and a hard place. Have a conversation with the owner of your Okta org, it’s all I can suggest.