I need to revoke all access and refresh tokens ideally using the User ID. After realising that via the Okta web interface, the “Clear user Sessions” didn’t revoke the access tokens of that user I started trying through the API.
Checking the API method to clear the user sessions, we can read:
Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
So I performed the request using the optional parameter oauthTokens set as true, which returned the expected 204 but the access token of that user was still valid.
Is there any known issue with this method? What other options one can have to revoke the access tokens of a specific user?
Hello,
If the API is remotely validating the token by using the /introspect endpoint, it should show that the token is no longer active after making the DELETE call to /users/{{userid}}/sessions?oauthTokens=true.
However if the API is locally validating, there isn’t a way to determine if the token has been revoked. The local validation only checks the signature and the existing claims to confirm if the token is valid. Unfortunately with local validation, there isn’t a way to confirm if the token has been revoked.
Just to confirm, is the API doing remote validation by calling the /introspect endpoint?
1 Like
Thanks for the reply. Yes, we are doing the remote validation. I was able to validate using the /introspect endpoint that an access token was revoked after performing the clear sessions.
We are now double-checking the remote validation process.