We are using this plugin with our Kong setup. Okta is acting as OP/IdP for OIDC setup. The configuration works fine for login activity, redirection to Okta takes place, authentication happens and session is established at kong oidc plugin.
However, regarding logout, we are seeing that even after logout from Okta, kong still maintains the session and redirects to Okta only after one hour which is the current access token lifetime by Okta.
According to Okta, the access tokens should be revoked as soon as we logout from Okta.
Does this mean that this plugin validates access token from Okta only after the token expiry time? And before that, it doesn't know that the token has been revoked and continues the session?
Hi,
We are using this plugin with our Kong setup. Okta is acting as OP/IdP for OIDC setup. The configuration works fine for login activity, redirection to Okta takes place, authentication happens and session is established at kong oidc plugin.
However, regarding logout, we are seeing that even after logout from Okta, kong still maintains the session and redirects to Okta only after one hour which is the current access token lifetime by Okta.
According to Okta, the access tokens should be revoked as soon as we logout from Okta.
Does this mean that this plugin validates access token from Okta only after the token expiry time? And before that, it doesn't know that the token has been revoked and continues the session?
Regards, Jahanzaib