Okta auth-js authStateManager not being updated on clear user session

Hi All
involved libary is

"@okta/okta-angular": "^5.2.0",
"@okta/okta-auth-js": "6.7.4",
"@okta/okta-signin-widget": "6.6.1"

If I clear the session from Okta Admin Console or by API call, the subscription to the authStateManager will always return
isAuthenticated = true
until the token will be refreshed (it could take a while depending on the access token lifetime set in the authentication policy).
The result is that even if a user session has been cleared, the user is still authenticated both for the signin-widget and the okta-auth-js.

Is this the expected behaviour or it should be considered a bug?

Thanks,
F

Hello,
This is the expected behavior. The SDKs check for local tokens stored that have not expired yet.
This behavior can be overridden:
https://github.com/okta/okta-auth-js#authstatemanagerupdateauthstate
https://github.com/okta/okta-auth-js#transformauthstate

With the Okta SDKs you should be calling the signout() function which will also clear tokens in the local token storage so isAuthenticated will become false.

1 Like