I am trying the sample-react-js example available on the below repo:
After logging in i get the access token and the API call is also successful using that token.
After clicking on the logout button below function is being called:
logout = async () => {
this.props.auth.logout(’/’);
};
This fires a DELETE call which returns a succcess ‘204’ case.
But the access tokens are not cleared.i can still use the access token to successfully call my API(using some tool) even after logging out.
The doc says above logout should also clear the tokens . Do i need some other configuration to clear the tkens on LOGOUT??
I tried cloning the React sample repo and testing the Okta-hosted login page sample. When I click Logout, the okta-token-storage key in local storage is cleared as expected.
I have taken the latest version of the example .
I am using a custom login page with okta sign in widget from ‘@okta/okta-signin-widget’.
I logged in and copied the access token to a file . Then I successfully logged out . Then I used the token copied earlier to make an API call to the resource server(using Postman) and it was successful. i think the token is being cleared from local storage on logout but not the okta server.
I have taken the latest version of the example .
I am using a custom login page with okta sign in widget from ‘@okta/okta-signin-widget’.
I logged in and copied the access token to a file . Then I successfully logged out . Then I used the token copied earlier to make an API call to the resource server(using Postman) and it was successful. i think the token is being cleared from local storage on logout but not the okta server.
Token validation on the resource server can use one of two approaches:
Local validation, where the token is valid if the signature is valid and the expiration time has not passed
Remote validation (introspection), where the token is sent to Okta to be verified
You need to do (2) to see the token fail immediately after logout.
How is your resource server validating the token? Are you using one of our token validation libraries, or your own code? I can help you configure it to use remote validation.
I am using the okta token validation libraries as given in the below example:
I guess using the library as shown above, the resource server will verify the token with Okta.
But after logging out if someone uses the token to call the resource server using Postman, the resource server returns success with data from api.
I want to clear the access token from the okta auth server when the user logs out. So even if someone saves the access token by using inspect , they cannot use the token using tools like Postman after logging out.
I’m having similar issue & my logout is not clearing the token ‘okta-cache-storage’ from local storage. It only clears the token ‘okta-token-storage’ from local storage.
After logout, if I try to login as a user2, on dashboard page I still see details of first user1 that I used before logout.
I’m calling : this.oktaAuthService.logout(’/’);
When I see in console, I see below error log:
DELETE https://dev-212287.okta.com/api/v1/sessions/me 404 (Not Found) core.es5.js:1020 ERROR Error: Uncaught (in promise): AuthApiError: Not found: Resource not found: me (Session) Error
at Object. (AuthApiError.js:26)*
at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
at Object. (http.js:17)*
at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
at Object. (tx.js:15)*
at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
at Object. (builderUtil.js:14)*
at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
at Object. (browser.js:18)*
at webpack_require (bootstrap bb304fef5346be40ed8f:52)*
at resolvePromise (zone.js:831)*
at zone.js:741*
at rejected (okta.service.js:24)*
at ZoneDelegate.webpackJsonp.973.ZoneDelegate.invoke (zone.js:391)*
at Object.onInvoke (core.es5.js:3890)*
at ZoneDelegate.webpackJsonp.973.ZoneDelegate.invoke (zone.js:390)*
at Zone.webpackJsonp.973.Zone.run (zone.js:150)*
at zone.js:889*
at ZoneDelegate.webpackJsonp.973.ZoneDelegate.invokeTask (zone.js:423)*
This question deserves an answer for anybody who reads it in the future:
The hint is up above and the problem is with the API, not the application. When you close the session with the Okta organization (a logout) the access token will be revoked. But if you continue to use it and the API does not check authorization server to see if it is revoked, then the API is code that is letting it be used.
So, if you need to revoke the token, then the API must call /introspect at the organization to check it and refuse it when it is revoked.