single sign on - Okta backchannel logout for OIDC

Question

I'm wanting to incorporate an OIDC sign in flow to my single page webapp through an Okta app.

However, I want the session of the user that signed in through Okta in my system to be tied to their Okta session (i.e. if they log out of Okta, or they lose access to my app in Okta, they will be logged out of my webapp).

It seems that backchannel logout is the way to achieve this with OIDC. Does Okta support backchannel logout?

---

As a side note, it appears that some Okta apps have figured out a way to do this already. For example, if I lose access to the Slack app in Okta, my Slack account is immediately frozen...so there is some kind of communication from Okta ---> Slack in that case. Maybe they are using SAML for that?

Answer 1

Back channel logout doesn't seem to be supported right now.

For achieving this behavior, you might have to make your app session rely on okta session. Your app session would be valid as long as okta session is valid. If the user wants to logout of the webapp, you might have to call delete /api/v1/session.