RussellW.44783 (Customer) asked a question.
Hi,
I am working on implementing Okta as an external IdP using OIDC with Identity Server 3. The login works great, but the logout is where I am having issues.
My requirements are:
- Allow users to logout of our apps, but not log them out of Okta and any other applications that Okta may be managing.
- If another user attempts to login to our application in the same browser session, log them out of Okta at that time and allow the new user to authenticate.
I have a working solution for not logging them out and leaving them logged into Okta, but I am having trouble with the second part. When the user enters their username into our application for login, we redirect to Okta and let them complete the authentication there. We are passing the username as the login_hint, but Okta is finding the authentication cookie from the first attempt and logging them in as that person instead.
Is there a way in Okta to have it invalidate an authentication cookie if the login_hint does not match the existing authenticated user, or perhaps a way for our application to determine if the usernames match before redirecting to Okta and forcing a logout at that time?
Thanks!
Hi Russel,
The best way about this would be to play around with the session timer. Okta does not have a way for the auth cookie to be invalidated.
Please have a quick look over our developer session_cookie guide here: https://developer.okta.com/use_cases/authentication/session_cookie
Kind regards,
Alex