On Signout Session Token is still valid and not revoked

Our app is .Net 4.8 but using Microsoft.AspNetCore.Mvc. The code we have is following the example in link below.

ASP.NET Core 3.0 MVC Secure Authentication | Okta Developer

Everything is working fine except that when we signout, the OKTA server token is still valid and an api call from a proxy intercept still works.

We have read lots of OKTA artcles and docs but cannot figure out why the session is still valid on signout. Any help appreciated, thanks!

Are you talking about the id token/access token?

Just to clarify, Okta session tokens are one-time use and they look like this: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow

Okta id/access tokens are JWTs and look like this:

I think I explained wrongly sorry. So for login, we redirect to OKTA hosted and user logs in and get redirected to the web app. Then on Signout, we call SignOutResult as per example I refered too.

I’m not exactly sure where the issue is (if its a token issue or not) but Pen Testing used a Proxy Interceptor so that they can grab the request and replay it. Once they logged out, they replayed the request and it still authenticated and worked. Once they login again, that request replay does not work anymore so on subsequent login whatever is getting invalidated works for previous requests.


What request? Is it for an Okta endpoint?

Like I mentioned in my first post, we are following this article:

ASP.NET Core 3.0 MVC Secure Authentication | Okta Developer

On signout we call Logout as per below (same as article)

But when I repeat the API call to our application (not okta, same one as I had done when logged in to get some data from out app api), it is still authorised which should not.