To signout the user from our application (React JS based), we want to get the session id using “https://${yourOktaDomain}/api/v1/sessions/me” API. But it asks for Okta Session Cookie. How to get okta session cookie?
Explored this Work with Okta session cookies | Okta Developer to get session cookie, but these APIs need Okta Session Token to get Okta Session Cookie. Not sure how to get Okta Session Token…
Thanks.
The session cookie is only available in the browser in which the applicable user is logged in. For example, this fetch request will log someone out of their Okta org if called within said browser (and from a domain allowed to make CORS requests):
fetch('https://oktaDomain/api/v1/sessions/me', {method: 'DELETE', credentials: "include"})
.then((response) => {
return response.json();
})
The bit that says credentials: "include" indicates that cookies should be sent in a cross-origin request.
@andrea - After adding this code in react application, it’s working fine in chrome browser, but In Firefox and incognito window have same session problem,
After investigating in firefox browser, different cookies are passing in request header. example JSESSIONID=7ACAB4B23184C580F6BBA770E868EFAB
But in chrome browser are passing is different cookies
example:DT=DI1b56t2_l-R_alXU5VA6QYLA; proximity_e8d8352c47036b03b97fe656250661d8=eyJ6aXAiOiJERUYiLCJwMnMiOiIzU3lTUUpZWHRVQ3RXS1MxOTE5SzZnIiwicDJjIjoxMDAwLCJ2ZXIiOiIxIiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6IlBCRVMyLUhTNTEyK0EyNTZLVyJ9.MZOW1dYJJC5x1rVUT3uKUeazEQFXukPR_DFkY6PSqvs3pGVBfaJlHw.ZUfy9Y0NoniNpySZ.5HiXCg5KbSnUkz1uXMz8rFVP4ym6DnbEn_x6kHijFbGOP5jVTb4a7AzNKAmdfRrDtPfrnx39twu_oOdvogQx0HUORV18cYlN6RgQ4EVm9pDdYRKLEHz9eURKXnUJY-LJPs80fbd-uqvARwkiph9aphzSPdNfoG32Qy-yjDCVpiCKmA.PFAdBTKbwdhPS8nT7J61Zg; oktaStateToken=00nl4CPqSET4eua1iPi_xA868Ps-8k60TzYzox8Bn-; sid=1024kGza5EURMq8R8cLhQFgFQ
Please advise.
That sounds like a 3rd party cookie issue.
I have implemented okta-auth-js library for signout user, Please check below code, but still session is not deleted, please help asap.
import { OktaAuth } from ‘@okta/okta-auth-js’;
const config = {
issuer: ‘https://example.com’,
clientId: ‘XXXXXXXXXXXXXXXX’,
redirectUri: ‘https://localhost:3000/’,
};
const authClient = new OktaAuth(config);
async function handleLogout() {
authClient.session.close()
}
Can you confirm which browser you are having this issue in? If you ensure that third party cookies are not blocked in this browser, does logout work?
I should also note that, for OIDC apps, we recommend using the OIDC front-channel /logout endpoint (which the SDK will redirect you to via the signOut() method) instead of trying to close sessions via CORS request (which is what closeSession() does)
@andrea -
AWS Cognito is the Service Provider. OKTA is ID Provider and ID token is coming through JWT token that id token are passing in below call - ${id_token}
GET https://${baseUrl}/logout?
id_token_hint=${id_token}&
post_logout_redirect_uri=${post_logout_redirect_uri}&
state=${state}
fetch(https://xxxxxxxxxxx.com/api/v1/sessions/me, {method: ‘delete’,
headers: {
“Content-Type”:“application/json”,
“Accept”:“application/json”,
},
credentials:‘include’
})
Ah, well the /logout endpoint is only for OIDC integrations, so won’t help you with a SAML app.
Understood, having end-users change browser settings is less than ideal. There is another URL you can use to log users out, but it does require a redirect: https://oktaDomain/login/signout
If you also want to redirect users to a specific location after logout, you can pass a target URL in as a query parameter (just make sure this URL is added to the org as a Trusted Origin for Redirects): https://oktaDomain/login/signout?fromURI={{targetUrl}}
I have added your redirect code in our application and after clicking on signout button session is deleted,
function logout(){
window.location.assign 'https://oktaDomain.com/login/signout?fromURI=https://localhost.com
}
But if i open that target url in another tab like- https://localhost.com, still am able to see that whole application after session deleted. please help
https://oktaDomain.com/login/signout?fromURI=https://localhost.com signs out the user only from the application, not from Okta. I believe, this could be a reason why if i enter into application thru another tab in the same browser, i am able to get into application.
In Okta - SAML application under SignOn, signout url is configured as https://oktaDomain.com"
It sounds like its the Application Session that is still active at this point, which makes sense as that URL will only end the Okta session (removing the user’s Okta session cookies from storage and otherwise invalidating the current session in their browser).
The application is managing its own session and I do not know of a way to kill it from the Okta side.