Token not revoked when used via the Widget following built in Reset Password feature

[Fusekki]

Okta version: 5.0.1

The revoke is not working when using the okta widget when a user uses the built-in reset password feature from the Okta widget provided by Okta. Once the password is reset, it takes the user to a dashboard where they can launch the application (again dashboard provided by Okta) and the user authenticates in with this token. I see the token is stored in the cookie storage and when I do an introspect on this cookie, it shows as active. Yet when I log out of the app which, in turn, revokes the token, an introspect call shows the token as active still. Is this a known limitation of the library or is this supposed to work?

Code for revoke token:

  async signOut() {
      await this.authClient.revokeAccessToken();
      await this.authClient.closeSession()
      .then(() => {
      })
      .catch(e => {
        if (e.xhr && e.xhr.status === 429) {
          console.error('Too many requests.');
        }
      });
  }

[laura-rodriguez]

Hi @staffordp,

This seems to be related to #747. Can you use an older version for now until our JS devs submit a fix?

[Fusekki]

@laura-rodriguez Which version do you suggest? We had been using 4.6.1 and that didn't work either.

[Fusekki]

Tried 4.9.0. Does not work either. The only difference I see in the introspect of these users is the scope field.

For these users, introspect comes back with:

"scope": "email openid",

whereas other users that do not use this flow (where the revoke works) have a scope of the following when an introspect is done on their active token:

"scope": "profile openid email",

Is there a specific version that works? I'd rather not test with every version prior to 5.0.0

Just tried version 4.8.0, 5.0.2 and neither work either.

[shuowu]

@staffordp Can you share any detail about how the tokens is stored? Issue may happen if multiple OktaAuth instances has been created, but one use custom storage (cookie) for storage, but the other one use the default storage ('sessionStorage') for revoke.

If you are using the widget, you probably can keep using the authClient from it.

[Fusekki]

We use the .sessionStorage option when setting the okta config.

[shuowu]

Then why the tokens end up in the cookies? Can you share your storage related widget config and the oktaAuth config (if you create another authClient instance)?

[shuowu]

@staffordp also, what browser are you using? token storage may fallback to cookies if neither sessionstroage nor localStorage is available. Just want to check if it's the case.

[Fusekki]

@shuowu Using Chrome
Version 90.0.4430.212 (Official Build) (64-bit)

[Fusekki]

Is there any update or workaround for this issue?

[Fusekki]

Discovered why the revoke was failing. During the getWithoutPrompt which is used for the tile Login, the tokens received were not being grabbed by the tokenManager. Adding this bit of code fixed the issue:

          this.authSvc.authClient.tokenManager.setTokens(
            {accessToken: tokenOrTokens.tokens.idToken,
              idToken: tokenOrTokens.tokens.accessToken}
          );

In the end, I was able to use the latest version (5.0.2)