When we are performing Forget Password, there is an option which is showing “Sign me out of all other devices”. What is this option for?
We have tried login from first browser and I performed introspect on the access/id token. Both tokens are showing as active.
After we have successfully performed forget password with the option checked on another device, I performed another introspect on the access/id token from first browser. Both tokens still shows active. Why is it so?
Yes. I understand id token cannot be revoke using api but i noticed that id token is revoked when i close my session using api.
Just wonder how come reset password does not invalidate all the related id token at okta side when they allow user to close all existing sessions based on the option provided.