Instructions for

User sign out flow (local app)

Identity Engine

Sample code

Configuration updates

There are no additional configuration changes needed to implement this use case.

Summary of steps

Integration steps

Create a sign-out UI element

The first step is to create a link, button, or other similar UI element that allows the user to sign out of the app.

Close the Okta SSO session and revoke the access token

When the sign-out request is initiated, create the following flow:

Obtain the access token from the active session state. For example, obtain the access token by calling getAuthClient from getAuthClient.js in the SDK sample app.
Call getSignOutRedirectURL to close the Okta SSO session before you revoke the token (revokeAccessToken) and invalidate the local session, as shown in the SDK sample app's logout.js file:

router.post('/logout', async (req, res) => {
  try {
    const authClient = getAuthClient(req);
    // Get okta signout redirect url
    // Call this method before revoke tokens as revocation clears tokens in storage
    const signoutRedirectUrl = authClient.getSignOutRedirectUrl();
    // Revoke tokens
    await authClient.revokeRefreshToken();
    await authClient.revokeAccessToken();
    // Clear local session
    req.session.destroy();
    // Clear okta session with logout redirect
    res.redirect(signoutRedirectUrl);
  } catch (err) {
    console.log('/logout error: ', err);
  }
});

Note: Revoking the refresh token is optional, as it requires that you request the offline_access scope.

Send the user to the signed-out page

After the access token is revoked and the local app session is no longer valid, redirect the user to the sign-out page.

// Clear okta session with logout redirect
    res.redirect(signoutRedirectUrl);