Validate access token is linked to Okta session

We have an SPA which passes an authenticated user’s access token with any back-end service requests the UI makes.
If that token was stolen it could be used to call those services whilst the token is still valid (or at least not expired) in a ‘replay attack’. We can shorten the expiry time and could add compromised tokens to a deny list to mitigate some of that, but we would also like be able to determine if the Okta user session was still valid for an access token that’s been passed to a particular back-end service (so not all services) - i.e. the service is able to ask Okta if the passed access token is linked to an active user session. If the user has logged out of the UI and terminated the Okta session, the answer would be no.

We had assumed that the /introspect endpoint could be used for this purpose but this does not seem to be the case.

Is there a way to check if an access token is linked to an active Okta session from a back-end service (where there is no browser sessionId)?


If you have the ability to use Custom Authorization Servers (requires an additional license/specific SKU), there is a way to store the user’s session ID in the user’s token(s). With Custom Authorization Servers comes the ability to use Token Inline Hooks to synchronously add/change data in a user’s tokens before they are sent back to the SPA.

Here’s how this would generally look:

  1. Create endpoint for your Token Inline Hook and configure the endpoint to accept requests from Okta and respond with a JSON object containing a list of commands (in this case, adding a claim to a token). For your use case, you would want to grab the session ID that Okta sends in the hook request (stored in and set it to the value of the claim you are adding.
  2. Register your Hook in Okta and enable the hook on an Access Rule for the Custom Authorization Server you will be using for this application. Ensure the Policy/Rule WILL get triggered when users log into your SPA
  3. Double check that your application is using the Custom Authorization Server you added the hook to!
  4. After the user logs in and the access token is sent to your backend, you can take the session ID from the claim and send it to the Sessions endpoint to check its status. This will indicate whether or not that session is still considered Active.

After setting up the hook as described above, my token payload looks like the following:

I can then take that sessionId and send it to /api/v1/sessions:

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.