Validating user session on backend using oauth workflow

The official guides (PHP backend for example) use standard oauth to get an access token which logs the user in. Now that user is permanently logged in with no way to revoke or control their access and no connection to the frontend browser session. How can I manage their session lifetime or check to see if they are still logged into okta? I’m really confused because all of the guides and reference pages assume that the okta client widget is being used which is not helpful for me.

Hi @nathanjosiah

You can check if a user is still active inside Okta by doing an ajax request to /api/v1/sessions/me and parse the response. If there is no active session, you should receive an answer like the following

{"errorCode":"E0000007","errorSummary":"Not found: Resource not found: me (Session)","errorLink":"E0000007","errorId":"oaerk-sohsvT8utb5GU-Lwvyw","errorCauses":[]}

Hey @dragos thanks for the reply. I can see that I can get this session information from the client but am I able to verify on the back end somehow? The back end has an oauth access token and nothing else at the moment. I’m not clear on the expected workflow here.