Instructions for

Sign users out

Note: This document is written for Okta Classic Engine. If you’re using Okta Identity Engine, see User sign out (local app) for relevant guidance. See Identify your Okta solution (opens new window) to determine your Okta version.

This guide explains an important part of security: minimizing the chances that a malicious actor uses an existing session to perform unauthorized actions. It explains the most common strategies to prevent unauthorized use of a session, which include setting short token lifetimes and allowing users to sign out when they’re done. This guide explains how to sign users out of Okta and your app.

Learning outcomes

How to define a sign-out callback.
Sign users out of Okta and your app.

What you need

Okta Integrator Free Plan org (opens new window)
An app that can sign in to Okta. To create your own, see the following guides:

Sample code

About signing users out of an app

Signing users out of an app that is secured using Okta requires that you close the user's session in Okta. In cases where your app also has a session, you also need to close the user's app session.

Okta Session: Okta maintains a session for the user and stores their information inside an Okta-specific cookie. The next time that a user is redirected to the Okta sign-in page, the user's information is remembered. Sign users out of Okta by clearing the Okta browser session.
Application Session: Most apps have their own user sessions that you need to close in addition to an Okta user session.

Define the sign-out callback

Signing out of Okta requires the app to open a browser and go to the end session endpoint (opens new window). Okta ends the user's session and immediately redirects the user back to your app. To do this, define a callback route for the sign-out process that matches the post sign-out URL in your Okta app integration settings. If you don't specify a post_logout_redirect_uri, then the browser is redirected to the Okta sign-in page.

Open the Admin Console for your org.
Go to Applications > Applications to view the current app integrations.
Select your app integration.
On the General tab, click Edit in the General Settings section.

Set a Sign-out redirect URIs section and add a handler for that URI.

Follow your base URI with /account/postsignout (for example, http://localhost:3000/account/postsignout).

Then, you have to modify the Okta configuration in your application to also include the Sign-out redirect URIs. Open the Startup.cs file and update the Configuration method to include PostLogoutRedirectUri in the Okta configuration:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        //...
        app.UseOktaMvc(new OktaMvcOptions()
        {
            //...
            PostLogoutRedirectUri = "http://localhost:3000/Account/PostSignOut",
        });
    }
}

Finally, add the desired logic for the post sign-out callback. Open the controller where you handle the sign-out process and add a PostSignOut method:

public class AccountController : Controller
{
    public ActionResult PostSignOut()
    {
        // Return to the home page after sign out
        return RedirectToAction("Index", "Home");
    }
}

Click Save to confirm your changes.

Sign users out of Okta

Sign users out of Okta by ending their session on the Okta authorization server.

Open the controller where you handle the sign-out process and update the SignOut action. This time you need to also sign the user out of the Okta OIDC middleware with OktaDefaults.MvcAuthenticationType:

public class AccountController : Controller
{
    [HttpPost]
    public ActionResult SignOut()
    {
        if (HttpContext.User.Identity.IsAuthenticated)
        {
            HttpContext.GetOwinContext().Authentication.SignOut(
                CookieAuthenticationDefaults.AuthenticationType,
                OktaDefaults.MvcAuthenticationType);
        }

        return RedirectToAction("Index", "Home");
    }
}

Update your using statements to import the following namespaces:

using Microsoft.Owin.Security.Cookies;
using Okta.AspNet;

After users sign out of Okta, they’re redirected to the location defined in Define the sign-out callback section.

Sign users out of your app

Sign users out of your app by ending their local session. This signs the user out of your app, but doesn't sign the user out of Okta.

The steps required to end the app session vary depending on the type of app that you’re using.

Add a SignOut action that accepts an HTTP POST and signs the user out with CookieAuthenticationDefaults.AuthenticationType:

public class AccountController : Controller
{
    [HttpPost]
    public ActionResult SignOut()
    {
        if (HttpContext.User.Identity.IsAuthenticated)
        {
            HttpContext.GetOwinContext()
                       .Authentication
                       .SignOut(CookieAuthenticationDefaults.AuthenticationType);
        }

        return RedirectToAction("Index", "Home");
    }
}

Update your using statements to import the Microsoft.Owin.Security.Cookies namespace:

using Microsoft.Owin.Security.Cookies;

Finally, open _Layout.cshtml and add a link or button for the user to sign out:

<div>
    @*...*@
    @if (Context.User.Identity.IsAuthenticated)
    {
        <ul>
            <li>
                <p>Hello, <b>@Context.User.Identity.Name</b></p>
            </li>
            <li>
                <a onclick="document.getElementById('logout_form').submit();" style="cursor: pointer;">
                    Sign out
                </a>
            </li>
        </ul>
        <form action="/Account/SignOut" method="post" id="logout_form"></form>
    }
    else
    {
        <ul>
            <li>@Html.ActionLink("Sign in", "SignIn", "Account")</li>
        </ul>
    }
</div>

On this page