The relationship between revoke a token and signing out

What’s is the implication of signing out and not revoking a token or signing out and the call to revoke the token fails. Also what is the expected behavior when logging out is it expected that we should call the revoke token endpoint after calling the logout endpoint

So I am still hoping to get some advice here. After calling the logout end point do I have to call the revoke end point to revoke the token or are both the access and refresh tokens revoked once you are logged out. Thanks in advance any anyone

What do you mean by signing out?

To better answer this, there are three things you can do when a user wants to log out of your OIDC application (or who you are logging out due to their being idle), and they revolve around the two different types of logout: signing users out of your application and signing users out of Okta

  • Revoke tokens: ensures that the users Access and Refresh Tokens cannot be reused. This is a particularly good idea if you are securing an API with these tokens, as the user will now need to request new tokens to be able to access protected resources
  • Clear the application session: to end the users actual session within your application. This will also force them to re-authenticate with your application
  • End the IdP session: this one is optional depending on your use case. When logging the user out of your OIDC application, you can use the /logout endpoint to also end their Okta session.

Each of these steps must be completed individually, though our SDKs often combine them in a single method call. For example, if you are using our AuthJS library (or the related Angular, React, or Vue SDKs), the signOut method is designed to complete all three portions for you.

Thank you very much @andrea . I read the article in the first link and it makes it clear what we need to look into before we decide which approach to take. So the fact is that we only need to sign out of our app and not Okta, that being the case, revoking the refresh token which also revokes the access token will accomplish that right?

Correct, revoking a refresh token will revoke the associated access token.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.