Terminate remote session signOut

[Marvedog]

I'm submitting this issue for the package(s):

• [ ] jwt-verifier
• [ ] okta-angular
• [ ] oidc-middleware
• [ ] okta-react
• [x] okta-react-native
• [ ] okta-vue

I'm submitting a:

• [ ] Bug report
• [x] Feature request
• [ ] Other (Describe below)

Current behavior

signOut does not terminate remote session.

Expected behavior

signOut terminates remote session, as recommended in owasp for example.

Extra information about the use case/user story you are trying to implement

Just adhering to standard security practice without resolving to complicated tricks. This seems pretty standard imo.

Environment

• Package Version:
• Browser:
• OS:
• Node version (node -v):
• Other:

[aarongranick-okta]

@Marvedog Thanks for the report. To help us track this down:

• can you tell us on which native platform you are seeing this behavior? (IOS or Android)
• are you able to see any errors (either through catch on the promise or in the browser error console)
• can you check if 3rd party cookies are enabled or blocked on your browser.

[Marvedog]

@aarongranick-okta Sorry, I may have been a bit unclear in my formulation. It is a general feature request that is not supported as of now as far as I can understand from the source code and the actual behavior of the library.

By remote session i mean that, the tokens access_token, id_token and refresh_token are still valid. So if I, in my logout flow, call signOut(), then all tokens are still valid and any remote endpoints can still be accessed by whoever has the tokens even though the client cannot.

So as mentioned in my initial description, shouldn't a signOut() actually sign out the user by terminating the remote session and not just remove access to any remote endpoints for the client.

[swiftone]

@Marvedog - We believe your desired behavior SHOULD be the actual behavior. Could you provide a few more details on how we can reproduce your scenario? (which platform, what sequence of steps)