I have an SPA that calls API’s hosted on AWS Lambda. I’m using the okta-react library for authentication and it’s working well. I have a couple questions about the logout step.
The example app in okta-react’s documentation clears the tokens from local storage and makes a DELETE request to /api/v1/sessions/me during logout. However, calling the /introspect endpoint with the access token reveals it is still active. Is this a problem? Should I also revoke the access token?
The other question is, instead of making the DELETE request to the sessions/me endpoint, I’m redirecting to the /logout endpoint. Are these two equivalent, or should I also be making the DELETE request? I think hitting /logout will also clear/close the Okta session and it seems to be working well, but just wanted to make sure I am doing the right thing because I’m deviating from the documentation of okta-react.
Thanks in advance!