Okta token still active even although signed out or revoked

Hello all,

I have a concern that I have a valid Okta token. When I make introspect request from postman I got status of the token as “active”: true" and then I make logout and revoke requests with response status code 200 OK.
When I make introspect request again, I got status of the token still “active”: true"

I think Okta still keep this session and token still valid (“active”: true").
I’m trying to logout (end login session) and what I expected is the status of token when I make introspect request is “active”: false".

So many thanks with your advise!

Which token are you referring to, an access token? What endpoints are you using to request, revoke, and introspect your tokens?

I’m mostly curious to check if you are revoking your tokens correctly, as, even if you are seeing a 200 response back from Okta, its possible you are not sending the access token to the correct revoke endpoint (needs to be sent back to the same Authorization Server that minted the token), which would mean that the token is not actually getting revoked.

Hi Andrea,

First of all, thanks for reaching out to me.

Which token are you referring to, an access token? What endpoints are you using to request, revoke, and introspect your tokens?
=> yes, I’m referring to an access token.
Endpoints:
To request token, I’m using this method to implement on my mobile app:

To revoke, logout, introspect token I send these request using postman
https://myappstest.halliburton.com/oauth2/default/v1/revoke
https://myappstest.halliburton.com/oauth2/default/v1/logout
https://myappstest.halliburton.com/oauth2/default/v1/introspect

Attachment file is screenshot of my postman requests.

Detail:
Issue: Okta token still active even although signed out or revoked
Step to reproduce:

  1. Send introspect request to check active status (“active”: true)
  2. Send revoke and logout request to revoke an access token => response 200 OK
  3. Send introspect request again to check active status => (still “active”: true)

Expected behaviour:
At step #3, The status of access token when sending introspect request should be false

If you delay making the introspect call (say, for 5 minutes), do you ever see it switch to active: false?

It still sounds like the revoke call failed, but its not clear why based on the information you provided…