Okta session logout not clearing access token

Hi,

I am trying the sample-react-js example available on the below repo:


After logging in i get the access token and the API call is also successful using that token.
After clicking on the logout button below function is being called:
logout = async () => {
this.props.auth.logout(’/’);
};

This fires a DELETE call which returns a succcess ‘204’ case.
But the access tokens are not cleared.i can still use the access token to successfully call my API(using some tool) even after logging out.

The doc says above logout should also clear the tokens . Do i need some other configuration to clear the tkens on LOGOUT??

Thanks & Regards,
Himanshu

Not sure if it is the right way to do it but I always call tokenManager.clear() at logout

I tried cloning the React sample repo and testing the Okta-hosted login page sample. When I click Logout, the okta-token-storage key in local storage is cleared as expected.

A few quick questions for you @himanshu and @scoobymib3:

  • Are you testing the latest version of this sample?
  • Are you using the Okta-hosted login page, or a self-hosted login page?
  • How are you retrieving the access token after logging out?

HI Nate,

I have taken the latest version of the example .
I am using a custom login page with okta sign in widget from ‘@okta/okta-signin-widget’.
I logged in and copied the access token to a file . Then I successfully logged out . Then I used the token copied earlier to make an API call to the resource server(using Postman) and it was successful. i think the token is being cleared from local storage on logout but not the okta server.

Thanks & Regards
Himanshu

HI Nate,

Thanks for your reply.

I have taken the latest version of the example .
I am using a custom login page with okta sign in widget from ‘@okta/okta-signin-widget’.
I logged in and copied the access token to a file . Then I successfully logged out . Then I used the token copied earlier to make an API call to the resource server(using Postman) and it was successful. i think the token is being cleared from local storage on logout but not the okta server.

Regards
Himanshu

Token validation on the resource server can use one of two approaches:

  1. Local validation, where the token is valid if the signature is valid and the expiration time has not passed
  2. Remote validation (introspection), where the token is sent to Okta to be verified

You need to do (2) to see the token fail immediately after logout.

How is your resource server validating the token? Are you using one of our token validation libraries, or your own code? I can help you configure it to use remote validation.

Hi Nate ,

I am using the okta token validation libraries as given in the below example:

I guess using the library as shown above, the resource server will verify the token with Okta.
But after logging out if someone uses the token to call the resource server using Postman, the resource server returns success with data from api.

I want to clear the access token from the okta auth server when the user logs out. So even if someone saves the access token by using inspect , they cannot use the token using tools like Postman after logging out.

Thanks & Regards,
Himanshu Sharma

Hi,

I’m having similar issue & my logout is not clearing the token ‘okta-cache-storage’ from local storage. It only clears the token ‘okta-token-storage’ from local storage.
After logout, if I try to login as a user2, on dashboard page I still see details of first user1 that I used before logout.
I’m calling : this.oktaAuthService.logout(’/’);
When I see in console, I see below error log:

DELETE https://dev-212287.okta.com/api/v1/sessions/me 404 (Not Found)
core.es5.js:1020 ERROR Error: Uncaught (in promise): AuthApiError: Not found: Resource not found: me (Session)
Error

  • at Object. (AuthApiError.js:26)*
  • at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
  • at Object. (http.js:17)*
  • at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
  • at Object. (tx.js:15)*
  • at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
  • at Object. (builderUtil.js:14)*
  • at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
  • at Object. (browser.js:18)*
  • at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
  • at resolvePromise (zone.js:831)*
  • at zone.js:741*
  • at rejected (okta.service.js:24)*
  • at ZoneDelegate.webpackJsonp.973.ZoneDelegate.invoke (zone.js:391)*
  • at Object.onInvoke (core.es5.js:3890)*
  • at ZoneDelegate.webpackJsonp.973.ZoneDelegate.invoke (zone.js:390)*
  • at Zone.webpackJsonp.973.Zone.run (zone.js:150)*
  • at zone.js:889*
  • at ZoneDelegate.webpackJsonp.973.ZoneDelegate.invokeTask (zone.js:423)*
  • at Object.onInvokeTask (core.es5.js:3881)*

Please let me know if I’m missing anything here.

Thanks,
Bhargav.

hello @bpl18 were you able to solve this issue?

This question deserves an answer for anybody who reads it in the future:

The hint is up above and the problem is with the API, not the application. When you close the session with the Okta organization (a logout) the access token will be revoked. But if you continue to use it and the API does not check authorization server to see if it is revoked, then the API is code that is letting it be used.

So, if you need to revoke the token, then the API must call /introspect at the organization to check it and refuse it when it is revoked.