I have an SPA that calls API’s hosted on AWS Lambda. I’m using the okta-react library for authentication and it’s working well. I have a couple questions about the logout step.
The example app in okta-react’s documentation clears the tokens from local storage and makes a DELETE request to /api/v1/sessions/me during logout. However, calling the /introspect endpoint with the access token reveals it is still active. Is this a problem? Should I also revoke the access token?
The other question is, instead of making the DELETE request to the sessions/me endpoint, I’m redirecting to the /logout endpoint. Are these two equivalent, or should I also be making the DELETE request? I think hitting /logout will also clear/close the Okta session and it seems to be working well, but just wanted to make sure I am doing the right thing because I’m deviating from the documentation of okta-react.
The Okta session is not linked with the JWT token lifetime. If you would like to close the Okta session and revoke the JWT tokens, then you would need to do:
a request to /logout (for closing Okta session and revoking the ID token linked with the session)
a request to /revoke (for revoking the access token and/or refresh token issued)
When doing a DELETE request to the sessions endpoint, the JWT tokens will not be affected and would still appear as active when being validated against /introspect until they expire.
Thank you for the response. However the answer didn’t clarify to me the following:
Is /logout equivalent to DELETE /sessions/me in terms of closing the Okta session?
Is a call to /revoke necessary? In other words, is there a security risk in just clearing the token from browser storage and let the access_token expire? Because /revoke requires the client_secret in the header and I don’t have a backend server other than API Gateway, currently I created a proxy /revoke-access-token endpoint that my app calls from the browser, then the proxy calls the Okta /revoke endpoint with the Authorization header that contains client_id+client_secret.
Also, forgot to mention that I’m using Implicit flow since it’s an SPA.
The /logout as document appears to perform the same ultimate action as DELETE /sessions/me. he Okta session is destroyed.
The call to /revoke will only be effective if the access token is validated via the /introspect API. If you are performing local validation, then the revocation will not be seen by the local validator. In terms of security, the ability to steal the access token from the various components involved (SPA memory, API Gateway, service endpoint, communications channel) is the issue. Revoking the token decreases the time an attacker may use the token, but only if remote validation is in place.
Yes, I realized the issue with the local validator and have my authorizer call the /introspect endpoint to validate the token. I have opted to keep revoking the token when the user logs out via the proxy and reduce the valid time of the access token as well.