Okta-auth-js SDK: Clearing the Okta storageManager best practices?

Hi, our team has an app that uses the okta-auth-js sdk to login a user. We’re wondering what cleanup procedures we should follow ahead of starting a new login. For example, if two users share a computer and their Okta session still is valid (sessions/me) and/or they have tokens or transactions in the browser cookies, localStorage, shared-storage, or sessionStorage, do we need to remove them all?

As of now I’m thinking of the following possibilities.

const auth = new OktaAuth({...})
 // might be good to do if existing session causes issues. 
// Coincidentally this also clears token storage.    

// may not be necessary but uses the OktaAuth event emitter to emit
// token removal events in addition to the same thing that 
// auth.storageManager.getTokenStorage.clearStorage() does

// equivalent to auth.storageManager.getTransactionStorage.clearStorage() 
// clearSharedStorage: true only clears the current saved
// transaction from sharedStorage
// notably this doesn't seem to allow passing of clearIdxResponse: true
// hence we make a separate call for that below
auth.transactionManager.clear({clearSharedStorage: true}) 

// this allows you to clear the entire sharedTransactionStorage
// instead of just the current saved transaction
const storageManager = auth.storageManager


// originalUri only seems to be set in some flows, e.g. signInWithRedirect(), 
// could use some more clarity on whether we need to clear this ever

// you can clear the sneaky IdxResponseStorage with clearIdxResponse: true
storageManager?.getTransactionStorage()?.clearStorage({clearIdxResponse: true})

You can implement Sign out functionality wherein it will sign the user out of their current Okta session, revoke the issued access and refresh tokens and will clear all tokens stored locally.

The signout() method takes in different options as mentioned here - GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API

Setting clearTokensBeforeRedirect to true will ensure that all the local tokens are removed before the logout redirect is initiated

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.