Single logout across multiple appilications

tparikh · July 21, 2022, 3:37pm

I am using Embedded Okta signIn widget web application with authorization code flow (standalone application). Like below -

var signIn = new OktaSignIn(
  {
    issuer: 'https://{yourOktaDomain}/oauth2/default',
    clientId: '{{clientId of your app}}',
    redirectUri: '{{redirectUri configured in app}}',
   ....
  }
);

Doing research to find out if it is possible to log a user out of all applications at once.
I know we can call the logout api and clear the access_token in the browser, however if I’m on another application I would still be logged in as the access token still exists and is not expired .

Is there any way to expire all the sessions for the user?

ram.gandhi · July 21, 2022, 4:10pm

To remove Okta browser session, you can use the logout redirect.

If you are using Okta auth js, use signOut() method. Make sure postLogoutRedirectUri configuration is setup in you application.

Ref: GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API

tparikh · July 21, 2022, 4:57pm

@ram.gandhi
But with this I think, If I am perfoming Logout operation from one application then it will logout from one application only.
For second application it will be still logged in.
My use case is - If I am doing logout from one application then it should also logout from other applications as well ( Single logout )

My use case example is like below -
I have two applications A and B.
From A application - I am connecting to Okta standalone Login application for user logIn, which has embedded Okta SignIn Widget with authorisation code flow logic.
From B application - I can also connect to standalone okta login application for user login.

Let’s say, if I am performing logout operation for application A then it should also logout from application B as well.

Thanks

tparikh · July 23, 2022, 2:20pm

@andrea @abole
Any idea on above query?

andrea · July 25, 2022, 8:14pm

I don’t see a way to do that, as each application is handling its own application sessions.

Okta’s endpoints can only help with ending the Okta session (which would affect future logins and potentially token refreshes) or revoking the tokens. If the application isn’t sending Access tokens to /userinfo or /introspect, it won’t even notice if the tokens have been revoked. The application will need to clear its own storage instead, and I just don’t see how a separate app is going to be able to access how the other application manages its own session (and likely on its own domain)

abole · September 12, 2022, 8:46am

A couple of ideas @tparikh:

If each of your apps is using shorter lives access tokens, logout is less of an issue (unless you issue longer lived refresh tokens). Those access tokens will expire and can’t be renewed. This is handy if your applications don’t use their own state mechanisms and just rely on tokens.
If your A and B apps have their own state mechanisms, two tricks we used in the ‘old days’ were to either:

redirect chain through all the logout endpoints (e.g. App A’s logout page kills the session then redirects to App B’s logout page which kills its session which then redirects to some kind of final ‘you’ve logged out page’. If you’ve got a lot of apps, this can be tedious. You also still need to kill Okta sessions / tokens.
The other way was to build one page which then invoked every other pages logout page / URI (javascript ajax call to each logout page or anything which could trigger a get request to the logout endpoint for each app).