Okta Sign out API

premkumarsp · February 2, 2023, 6:26pm

To signout the user from our application (React JS based), we want to get the session id using “https://${yourOktaDomain}/api/v1/sessions/me” API. But it asks for Okta Session Cookie. How to get okta session cookie?

Explored this Work with Okta session cookies | Okta Developer to get session cookie, but these APIs need Okta Session Token to get Okta Session Cookie. Not sure how to get Okta Session Token…

Thanks.

andrea · February 3, 2023, 4:52pm

The session cookie is only available in the browser in which the applicable user is logged in. For example, this fetch request will log someone out of their Okta org if called within said browser (and from a domain allowed to make CORS requests):

fetch('https://oktaDomain/api/v1/sessions/me', {method: 'DELETE', credentials: "include"})
  .then((response) => {
    return response.json();
  })

The bit that says credentials: "include" indicates that cookies should be sent in a cross-origin request.

Jasmeetsinghrainu · February 13, 2023, 1:11pm

@andrea - After adding this code in react application, it’s working fine in chrome browser, but In Firefox and incognito window have same session problem,

After investigating in firefox browser, different cookies are passing in request header. example JSESSIONID=7ACAB4B23184C580F6BBA770E868EFAB

But in chrome browser are passing is different cookies
example:DT=DI1b56t2_l-R_alXU5VA6QYLA; proximity_e8d8352c47036b03b97fe656250661d8=eyJ6aXAiOiJERUYiLCJwMnMiOiIzU3lTUUpZWHRVQ3RXS1MxOTE5SzZnIiwicDJjIjoxMDAwLCJ2ZXIiOiIxIiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6IlBCRVMyLUhTNTEyK0EyNTZLVyJ9.MZOW1dYJJC5x1rVUT3uKUeazEQFXukPR_DFkY6PSqvs3pGVBfaJlHw.ZUfy9Y0NoniNpySZ.5HiXCg5KbSnUkz1uXMz8rFVP4ym6DnbEn_x6kHijFbGOP5jVTb4a7AzNKAmdfRrDtPfrnx39twu_oOdvogQx0HUORV18cYlN6RgQ4EVm9pDdYRKLEHz9eURKXnUJY-LJPs80fbd-uqvARwkiph9aphzSPdNfoG32Qy-yjDCVpiCKmA.PFAdBTKbwdhPS8nT7J61Zg; oktaStateToken=00nl4CPqSET4eua1iPi_xA868Ps-8k60TzYzox8Bn-; sid=1024kGza5EURMq8R8cLhQFgFQ

Please advise.

andrea · February 13, 2023, 4:35pm

That sounds like a 3rd party cookie issue.

Jasmeetsinghrainu · February 13, 2023, 6:17pm

I have implemented okta-auth-js library for signout user, Please check below code, but still session is not deleted, please help asap.

import { OktaAuth } from ‘@okta/okta-auth-js’;

const config = {
issuer: ‘https://example.com’,
clientId: ‘XXXXXXXXXXXXXXXX’,
redirectUri: ‘https://localhost:3000/’,
};
const authClient = new OktaAuth(config);

async function handleLogout() {
authClient.session.close()
}

andrea · February 13, 2023, 9:28pm

Can you confirm which browser you are having this issue in? If you ensure that third party cookies are not blocked in this browser, does logout work?

I should also note that, for OIDC apps, we recommend using the OIDC front-channel /logout endpoint (which the SDK will redirect you to via the signOut() method) instead of trying to close sessions via CORS request (which is what closeSession() does)

Jasmeetsinghrainu · February 14, 2023, 6:45am

@andrea -

We are not using OIDC. We are using SAML, We have tried below option for logout. but coming cors error in fetch call.

AWS Cognito is the Service Provider. OKTA is ID Provider and ID token is coming through JWT token that id token are passing in below call - ${id_token}

GET https://${baseUrl}/logout?
  id_token_hint=${id_token}&
  post_logout_redirect_uri=${post_logout_redirect_uri}&
  state=${state}

After changing some cookies option through browser settings it’s working fine in firefox as well. But for user preceptive, it’s not a correct way to change the setting before sign out. any other way we can enable third party cookies from Javascript or React. Please check the below code

fetch(https://xxxxxxxxxxx.com/api/v1/sessions/me, {method: ‘delete’,
headers: {
“Content-Type”:“application/json”,
“Accept”:“application/json”,
},
credentials:‘include’
})

andrea · February 14, 2023, 7:56pm

Ah, well the /logout endpoint is only for OIDC integrations, so won’t help you with a SAML app.

Understood, having end-users change browser settings is less than ideal. There is another URL you can use to log users out, but it does require a redirect: https://oktaDomain/login/signout

If you also want to redirect users to a specific location after logout, you can pass a target URL in as a query parameter (just make sure this URL is added to the org as a Trusted Origin for Redirects): https://oktaDomain/login/signout?fromURI={{targetUrl}}

Jasmeetsinghrainu · February 15, 2023, 11:44am

I have added your redirect code in our application and after clicking on signout button session is deleted,

function logout(){
window.location.assign 'https://oktaDomain.com/login/signout?fromURI=https://localhost.com
}

But if i open that target url in another tab like- https://localhost.com, still am able to see that whole application after session deleted. please help

https://oktaDomain.com/login/signout?fromURI=https://localhost.com signs out the user only from the application, not from Okta. I believe, this could be a reason why if i enter into application thru another tab in the same browser, i am able to get into application.

In Okta - SAML application under SignOn, signout url is configured as https://oktaDomain.com"

andrea · February 22, 2023, 8:31pm

It sounds like its the Application Session that is still active at this point, which makes sense as that URL will only end the Okta session (removing the user’s Okta session cookies from storage and otherwise invalidating the current session in their browser).

The application is managing its own session and I do not know of a way to kill it from the Okta side.