Sign Out a User

Signing a user out of an application is necessary to ensure that an existing session can’t be utilized by an attacker to perform unauthorized actions. In order to sign a user out of our application, we must close the user session in Okta. We’ll also need to close the user application session in case our application also has an active session. Another important step in this regard involves specifying the sign-out redirect URI(s).

Define the sign-out callback or redirect URI

We can use the end session endpoint to sign out a user. As the Okta user session ends, the user is redirected to the URI. We’ve already specified the sign-out redirect URI in our Okta app integration settings. The user is redirected to the specified URI once our application contacts Okta to close the active user session.

Note: The browser will automatically redirect the user to the Okta sign-in page if we don’t specify a sign-out redirect URI.

Now, let’s look at the difference between the user session in Okta and the user session in the application.

• Okta session: To prevent repeated logins, Okta maintains a session using cookies. It stores the sign-in information using a specific cookie, which is then recalled whenever the user signs in again. To sign out, we can just clear the Okta browser session.

• Application session: Client applications usually maintain their own user sessions. In such cases, we will need to close the application user session along with the Okta user session to sign a user out of our app.

Sign out of Okta

We can sign users out of Okta by terminating their session on the Okta authorization server. The user will be redirected to the sign-out redirect URI we specified in our Okta app integration settings.