Open EarthCitizen opened 5 years ago
Thanks for the feedback -
To track this down we need some clarity:
Use access token to call app endpoints with curl
Does "app" refer to your local app, or to an Okta endpoint?
Any other details you can provide will help us pin this down, thanks!
@swiftone Sorry for the ambiguity. In this case, what I wanted to express is that the front end (via JavaScript) calls the backing REST endpoints of the overall application with the access token issued by Okta. The backing REST endpoints then use Okta endpoints to validate the token.
Ideally, what would happen here is that the refresh token gets invalidated on sign-out, which I believe would invalidate the access tokens as well.
@EarthCitizen We believe this issue has been corrected. Specifically an option revokeAccessToken
was added to the signOut
method in this PR: https://github.com/okta/okta-auth-js/pull/288
This change should be reflected in current version of the Signin Widget. Can you confirm with the latest version of the Signin Widget (currently 3.8.1) ? The code would be something like:
signIn.authClient.signOut({ revokeAccessToken: true })
I'm submitting a
Background info
When closing the session, the refresh and access tokens are still valid.
Expected behavior
When closing the session, OktaSignIn should also invalidate the refresh and access tokens.
What went wrong?
As a result of the refresh and access tokens not being invalidated, the access token can still be used to call endpoints of the application, even though the OIDC Okta endpoints are being used to validate the token.
Steps to reproduce
Your environment