What is "Sign me out of all other dervices" doing at backend?

When we are performing Forget Password, there is an option which is showing “Sign me out of all other devices”. What is this option for?

We have tried login from first browser and I performed introspect on the access/id token. Both tokens are showing as active.

After we have successfully performed forget password with the option checked on another device, I performed another introspect on the access/id token from first browser. Both tokens still shows active. Why is it so?



I will need to verify but features.showSessionRevocation,

If set to true , it will show a checkbox that allows the user to revoke all of their active sessions during a Self Service Password Reset.

will invalidate other Okta Sessions (cookies) if you have sessions open in other browsers/devices, it will not revoke tokens.

Will verify.

Thank You,

Is this the intented behaviour or a bug?

When I close the current session using API, idToken will revoked and turn inactive.

But idToken is not revoked after the revoke of all active sessions during a Self service password reset.

ID tokens cannot be revoked, only Refresh and ID Tokens can.

You mean access token. :smile:

Yes. I understand id token cannot be revoke using api but i noticed that id token is revoked when i close my session using api.

Just wonder how come reset password does not invalidate all the related id token at okta side when they allow user to close all existing sessions based on the option provided.

Ooph, yeah. You’re right.

At least by design, a user’s tokens are not automatically invalidated unless the user has been deactivated/deleted within Okta. Otherwise you need to manually revoke their tokens.