So far I’ve successfully (I think) managed to get a user logged in using the following process flow (PHP 7.4.16). There is zero JavaScript involved in this interaction.
Flow - Sorry I don’t know the correct term for it but it roughly follows the Web App guide.
Check Status using our Web App Session and / or Cookie.
If not logged in to our Web App, Direct to the Okta Hosted Login Page with state, client and redirect set. The eventual redirect then has a code and state, which is verified by checking state and then a Client/Secret a call to v1/token with the supplied code.
This returns a response and the PayLoad is extracted from the access_token.
At this stage the API is used to gather profile information, and the groups and everything is golden.
Where I am stuck is logging them out. I see I can use the Session call in the API but to use this I need their OKTA Cookie? I’m not sure where to get this during this flow, or if its even possible or intended to be able to force their logout from the Okta domain?
If we don’t log them out of Okta then effectively that is controlling the length of the session, which isn’t ideal as I would prefer a complete logout if possible (ie from our Web App and the Okta side).
Hope this makes sense to someone.
Edit
Nevermind, I found it, which might say more about the organisation of the docs that I didn’t find it sooner, if someone finds themselves in the same boat here is the call from the docs.
Clear User Sessions
DELETE/api/v1/users/{userId}/sessions?oauthTokens=true
Link: Users | Okta Developer