Single logout across multiple appilications

I am using Embedded Okta signIn widget web application with authorization code flow (standalone application). Like below -

var signIn = new OktaSignIn(
    issuer: 'https://{yourOktaDomain}/oauth2/default',
    clientId: '{{clientId of your app}}',
    redirectUri: '{{redirectUri configured in app}}',

Doing research to find out if it is possible to log a user out of all applications at once.
I know we can call the logout api and clear the access_token in the browser, however if I’m on another application I would still be logged in as the access token still exists and is not expired .

Is there any way to expire all the sessions for the user?

To remove Okta browser session, you can use the logout redirect.

If you are using Okta auth js, use signOut() method. Make sure postLogoutRedirectUri configuration is setup in you application.

Ref: GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API

But with this I think, If I am perfoming Logout operation from one application then it will logout from one application only.
For second application it will be still logged in.
My use case is - If I am doing logout from one application then it should also logout from other applications as well ( Single logout )

My use case example is like below -
I have two applications A and B.
From A application - I am connecting to Okta standalone Login application for user logIn, which has embedded Okta SignIn Widget with authorisation code flow logic.
From B application - I can also connect to standalone okta login application for user login.

Let’s say, if I am performing logout operation for application A then it should also logout from application B as well.


@andrea @abole
Any idea on above query?

I don’t see a way to do that, as each application is handling its own application sessions.

Okta’s endpoints can only help with ending the Okta session (which would affect future logins and potentially token refreshes) or revoking the tokens. If the application isn’t sending Access tokens to /userinfo or /introspect, it won’t even notice if the tokens have been revoked. The application will need to clear its own storage instead, and I just don’t see how a separate app is going to be able to access how the other application manages its own session (and likely on its own domain)