Issue with Revoking All Tokens Associated with a Session

kapple · July 22, 2021, 5:01am

For our SPAs we are currently storing our tokens in app memory and are also using refresh token rotation. That means that if a user has two tabs open, they have two separate sets of access / id / refresh tokens.

When a user logs out, only those tokens associated with the tab are invalidated. Users found they could still make API calls with the tokens on the other tab. Has anyone come across this issue / have a solution for it?

I did see the documentation for /api/v1/users/ ${userId} /sessions that optionally revokes all access and id tokens, but in the fine print it says: This operation doesn’t clear the sessions created for web sign in or native applications.

TLDR: is there any way to revoke all tokens associated with a session? Or a solution for this multiple tab issue?

okra-okta · July 22, 2021, 4:08pm

I believe that is the drawback of choosing memory storage. Would you consider using cookie storage so that the tokens are available to all tabs?

Otherwise, you can use the /api/v1/users/${userId}/sessions endpoint to revoke the access tokens and refresh tokens as you mentioned.

kapple · July 22, 2021, 5:23pm

Hi, is this still a viable solution for this API call /api/v1/users/${userId}/sessions given the fine print under the API call?

This operation doesn’t clear the sessions created for web sign in or native applications.

Cookie storage is currently not an option for our SPAs.