Logging of from one subdomain does not log out from the other

andre · September 28, 2023, 2:55pm

Hi,
I have to apps under the same domain, but different subdoamins. The SSO seems to be working fine, if I go to one domain and login and then go to the app in the other domain the user is logged in. This is fine.

The part that is not working properly is the log off. I log off from one domain and the user is still logged in the the other domain. This is how I do the log off:

    const refreshToken = oktaAuth.tokenManager.getTokensSync().refreshToken;
    const accessToken = oktaAuth.tokenManager.getTokensSync().accessToken;
    await oktaAuth.revokeRefreshToken(refreshToken);
    await oktaAuth.revokeAccessToken(accessToken);
    try {
      await oktaAuth.closeSession();
    } catch {
      console.error('investigate if we go here');
    } finally {
      oktaAuth.tokenManager.clear();
      oktaAuth.tokenManager.clearPendingRemoveTokens();
    }

And this is how I load the Okta Session in my app:

 const onAuthRequired = async (authObj?: OktaAuth) => {
    if (authObj) {
      const sessionExists = await authObj.session.exists();
      if (sessionExists) {
        // if the user is on the create account page, we don't want to redirect them to the dashboard
        if (window.location.pathname.indexOf('create_account') > -1) {
          return;
        }

        authObj.token
          .getWithoutPrompt({
            responseType: ['token', 'id_token'],
          })
          .then((res) => {
            let originalUri = authObj.getOriginalUri();
           
            if (originalUri?.startsWith('/')) {
              originalUri = originalUri?.replace(/\/app/g, '');
              originalUri = originalUri === '' ? '/' : originalUri;             
              authObj.tokenManager.setTokens(res.tokens);
              navigate(originalUri || routes.DASHBOARD().PATH, {
                replace: true,
              });
            } else {
              authObj.handleLoginRedirect(res.tokens, originalUri);
            }
          });
      } else {
        navigate(routes.SIGN_IN().PATH);
      }
    } else {
      navigate(routes.SIGN_IN().PATH);
    }
  };

  const restoreOriginalUri = async () => {
    navigate(routes.DASHBOARD().PATH, { replace: true });
  };

  return (
    <Security
      oktaAuth={oktaAuth}
      onAuthRequired={onAuthRequired}
      restoreOriginalUri={restoreOriginalUri}
    >
      <Provider store={store}>
        <AppProviders>
          <LayoutWrapper>
            <ThemeProvider theme={theme}>
              <BrowserCompatibilityDetector />
              <Router />
            </ThemeProvider>
          </LayoutWrapper>
        </AppProviders>
      </Provider>
    </Security>
  );

With this, is it possible to identify why logging out from one subdomain won’t log out from the other

Thanks

erik · October 2, 2023, 3:27am

Hello,

If the applications run in sibling domains or one is a child domain of the other, I assume each still has it’s own token_storage in the browser for storing tokens?

SLO in Okta ends the application being logged out of session along with the Okta Org session, but will not effect other application logins which previously took place. In order to logout of these applications you could setup all participating applications in a front channel logout flow.

Please see the below documentation,
Configure Single Logout | Okta Developer.

Thank You,