Session Revocation — Okta
Session Revocation — Okta
Challenge clears Okta browser sessions and can optionally revoke OAuth/OIDC tokens and forget remembered MFA devices.
Credentials
- In the Okta Admin Console, go to Security → API → Tokens → Create token.
- Name the token (for example,
Challenge session revocation) and copy it immediately. - In Challenge, set Okta domain (for example,
https://your-org.okta.com) and API token under Integrations → Session Revocation → Okta.
API calls Challenge makes
| Step | Method | Endpoint |
|---|---|---|
| Lookup | GET | /api/v1/users/{userId} |
| Revoke | DELETE | /api/v1/users/{userId}/sessions |
Least-privilege guidance
Create a custom admin role (or use a narrowly scoped role) that allows user read and session management without unrelated admin rights. Okta documents API token administration in Create an API token.
Typical Okta permissions to include:
- Read users (for lookup by login)
- Clear user sessions / manage user sessions
Avoid granting full Super Administrator if a custom role suffices.
Optional settings
These map to query parameters on Okta’s Clear all sessions for a user API:
| Challenge setting | Okta parameter | Effect |
|---|---|---|
| Revoke OAuth/OIDC tokens | oauthTokens=true | Also revokes issued OAuth 2.0 and OpenID Connect refresh and access tokens for the user. |
| Forget remembered devices | forgetDevices=true | Clears remembered MFA factors on all devices for the user. |
Enable only what your incident-response policy requires. Revoking OAuth tokens is broader than ending browser IdP sessions alone; forgetting devices forces MFA on the next sign-in.
For full API semantics and parameter behavior, see Okta’s official documentation:
Username format
Use the user’s Okta login or email address.
Troubleshooting
| Symptom | Check |
|---|---|
user_not_found | Login does not match Okta profile |
http_403 | API token lacks user read or session management permissions |
| Optional flags too aggressive | Disable OAuth token or forget-devices if not required |