I can clear a users session via DELETE /api/v1/users/:id/sessions?oauthTokens=true, once the AT expires, the user is redirected to the widget to login. The widget doesn’t prompt the user for credentials even though their session was cleared. Why doesn’t clearing the user’s session require a full login? It just silently redirects the user through their normal OIDC flow.
A cookie might be authenticating them back in when they reach the widget. Ensure the JSession cookie is deleted as well
@abroadhurst This is more of a theoretical situation where I want to force a customer to authenticate again. I assumed that deleting the session would nullify the session cookie.
Does your tenant have IWA set up for seamless SSO?
@Govner No, we do have a desktop app but in this particular case it is with our custom Okta hosted widget and one of our web apps. Clear the session, once the AT expires, the user is redirected to the custom widget, widget does not prompt for creds, just proffers the user a new AT.
Revoking only the access token
Revoking only the access token will effectively force the use of the refresh token to retrieve a new access token. This could be useful if, for example, you have changed a user’s data and you want this information to be reflected in a new access token.
Revoking only the refresh token
If you revoke only the refresh token then the access token will also be revoked. This allows you to, for example, force a user to reauthenticate.
@Govner That is where I am confused. I am currently calling
DELETE /api/v1/users/:id/sessions?oauthTokens=true, so I am killing their refresh tokens and session. When the user is redirected to authenticate again, the Okta widget just implicitly logs them in. They are forced reauthenticate but without entering their credentials again, the widget just redirects them back to the app with a new token. I assumed they would be forced to reauthenticate with their creds. Does this mean we are hitting some kind of bug? Or is that expected behavior?
Can you please modify the logout page from Admin >> Settings >> Customization >> Sign-out page to be
https://yourOktaOrg.okta.com/login/default. This will prevent a potential reauthentication of the user.
@dragos Interesting, when we sign users out of our software we want them to go to our main site, so changing this won’t be possible for us. Curious though, how does this work? I don’t think I really understand why setting a particular sign out page would change the behavior here (we use the custom hosted widget too). Is there another workaround?
With the method above, it will prevent an automatic reauthentication of the user, when it arrives on the sign-in page.