My Application is still accessible even after logging out of Okta

I am implementing Okta signIn for a simple web form based application.(not an MVC based application).
When my application login URL is loaded, user is redirected to Okta page and upon signing in, redirected to my applications home page. This is working as expected.
When I login to Okta externally followed by login to my application i am redirected to Home page without asking any Okta signIn which is also working as i expected. but next if I logout from Okta and refresh my applications i can see that Request.IsAuthenticated value is still true in home page.
How can i end the Okta session in my application if i sign out from Okta externally.

@Suchina.N
Did you clear Okta session when you logout?
Here is a way to delete the user’s all sessions and you can implement it when you call logout function.
Revoke and clear session and token

The sessions endpoints can be used to logout a user and also revoke all tokens associated with the user:
DELETE: /api/v1/users/ ${userId} /sessions?oauthTokens=true
https://developer.okta.com/docs/reference/api/users/#user-sessions
The api collections can also be found in the above link.
userId is the “sub” value in id token or the “uid” value in access token.

Here is more reference:
https://developer.okta.com/docs/guides/sign-users-out/android/sign-out-of-okta/

Let me know if the above info is helpful

@Lijia
Thank you for this information. :slightly_smiling_face:
As per my understanding you are suggesting to implement it in my applications logout functionality.
I am able to logout and end all sessions when I click on logout button of my application. There is no issue here.
Issue is when I click on logout option in my Dev Okta account.
As mentioned earlier i am signing into Okta and access my application. next I go to Okta home page (not my application) and click on sign out(trying to end session from Okta not my application). I try to reload my application’'s home page and see that Okta session is not ended even after signing out from Okta.
I want to implement it in such a way that signing in and signing out is from Okta. i.e. If an user Sign in to Okta and access my application user should be able to use. If user sign out from Okta and access my application user should not be able to access it.

@Suchina.N The reason you see Okta session is not ended even after signing out is probably the sign out function you called does not include clearing the session token. Is it possible you tried to call the endpoint I mentioned and have a try again?

@Lijia
As mentioned above I have already called signout function and it does end the session. This is not an issue it works as expected.
But the scenario that I mentioned is totally different. I am not using my application to sign out. I am signing out from okta site and checking in my application if session is still on. Steps are as below

  1. Load okta url and login
  2. Load my application’s url. As I am already logged in to okta via okta url I Can access my application.
  3. Go to okta page again n signout(here I cannot make any changes to sign out as it is okta side not my application)
  4. Again come to my application n refresh the page. Here I can see okta session is still on even though I have logged out of okta site. (I have to explicitly logout from my application to end the okta session. )

Hello!
We are dealing with the same issue.
Logging out of the Okta Dashboard does not log out the user out of the Angular Application.

I followed the example over at https://github.com/okta/samples-js-angular/tree/master/okta-hosted-login

Below you can find a repo where you can reproduce the problem.


Requires:
-okta account
-SPA application with Authorization Code Flow and PKCE (there is a picture in the readme.md with the configuration)
-Replace clientId and issuer in environment.ts with the ones in your OKTA SPA App
After this execute npm start and log in into your Okta Account.

Expected behavior
Logging out of the Okta Dashboard Portal should result in the user of the Angular App being redirected to the Login page on the next browser refresh or navigation.

Current Behavior
After logging out of the Okta Dashboard Portal user remains logged in the Angular Application even after page refresh or navigation. The routes are protected and have OktaAuthGuard assigned to them.

I wonder if you could try the OIDC instructions here:
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm
and reply if that helps.

@Suchina.N Please have a try with @IanHakes’s comments. If it does not work, can you please open a support ticket through an email to support@okta.com with this issue. One of our Developer Support Engineers will take the case and assist you. Thanks

@Suchina.N Did you managed to solve this? We have the same issue. We are thinking to use Event hooks to make a call to our app Logout endpoint on the User Logged out from Okta event.
@Lijia I think that when the Logout event is started from Okta it should automatically call the Logout URI for all the apps (or at least this to be configurable for each app individually, not with hooks).

@bogdan.mihail.vlad @Suchina.N What solution did you end up implementing to solve this issue? That seems like a pretty common issue when integrating Okta

@pierreuno
Hi, were you able to solve that problem, btw?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.