SPA logout questions

I have an SPA that calls API’s hosted on AWS Lambda. I’m using the okta-react library for authentication and it’s working well. I have a couple questions about the logout step.

The example app in okta-react’s documentation clears the tokens from local storage and makes a DELETE request to /api/v1/sessions/me during logout. However, calling the /introspect endpoint with the access token reveals it is still active. Is this a problem? Should I also revoke the access token?

The other question is, instead of making the DELETE request to the sessions/me endpoint, I’m redirecting to the /logout endpoint. Are these two equivalent, or should I also be making the DELETE request? I think hitting /logout will also clear/close the Okta session and it seems to be working well, but just wanted to make sure I am doing the right thing because I’m deviating from the documentation of okta-react.

Thanks in advance!

Hi @pacauth

The Okta session is not linked with the JWT token lifetime. If you would like to close the Okta session and revoke the JWT tokens, then you would need to do:

  • a request to /logout (for closing Okta session and revoking the ID token linked with the session)
  • a request to /revoke (for revoking the access token and/or refresh token issued)

When doing a DELETE request to the sessions endpoint, the JWT tokens will not be affected and would still appear as active when being validated against /introspect until they expire.

Hi @dragos,

Thank you for the response. However the answer didn’t clarify to me the following:

  1. Is /logout equivalent to DELETE /sessions/me in terms of closing the Okta session?

  2. Is a call to /revoke necessary? In other words, is there a security risk in just clearing the token from browser storage and let the access_token expire? Because /revoke requires the client_secret in the header and I don’t have a backend server other than API Gateway, currently I created a proxy /revoke-access-token endpoint that my app calls from the browser, then the proxy calls the Okta /revoke endpoint with the Authorization header that contains client_id+client_secret.

Also, forgot to mention that I’m using Implicit flow since it’s an SPA.