Okta auth-js authStateManager not being updated on clear user session

fcerullo · August 10, 2022, 1:45pm

Hi All
involved libary is

"@okta/okta-angular": "^5.2.0",
"@okta/okta-auth-js": "6.7.4",
"@okta/okta-signin-widget": "6.6.1"

If I clear the session from Okta Admin Console or by API call, the subscription to the authStateManager will always return
isAuthenticated = true
until the token will be refreshed (it could take a while depending on the access token lifetime set in the authentication policy).
The result is that even if a user session has been cleared, the user is still authenticated both for the signin-widget and the okta-auth-js.

Is this the expected behaviour or it should be considered a bug?

Thanks,
F

erik · August 10, 2022, 7:30pm

Hello,
This is the expected behavior. The SDKs check for local tokens stored that have not expired yet.
This behavior can be overridden:
https://github.com/okta/okta-auth-js#authstatemanagerupdateauthstate
https://github.com/okta/okta-auth-js#transformauthstate

With the Okta SDKs you should be calling the signout() function which will also clear tokens in the local token storage so isAuthenticated will become false.

boubou158 · March 10, 2023, 12:40pm

The problem is that if application A and B are on two different subdomains of the same parent domain, then the token manager storage from a.domain.com won’t be cleared from b.domain.com when you signout. Do you have any solution for that? Thank you

system · February 13, 2024, 1:05am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.