t6ege (t6ege) asked a question.
I have created one application that uses OIDC flow to authenticate with OKTA.
Although authorization_endpoint, token_endpoint are working fine but when i tried to logout the user and invalidate session on OKTA, it doesn't work properly.
Though when i hit end session endpoint provided in well-known configuration of OKTA, it gives 200(OK) in response but after this when i try logging in, it doesn't ask for userid and password and directly logs user in to the application.
Issue - seems like OKTA is not invalidating the user session.
Logout url -
issuerUrl/v1/logout?id_token_hint={id_token} post_logout_redirect_uri={logoutURI} state={anystring}
Note - The post_logout_redirect uri parameter value given in above url is same we configured as logout_uri on OKTA.
Expected behavior - After getting 200(ok) as response from OKTA when user initiates the authentication, it should ask for userid and password instead of directly logging user in to the application.
Findings - While searching for the solution we have found one OKTA documentation regarding logout -
Hello,
I assume this is for an Okta Classic Org?
When you log out you are doing a browser user-agent redirect and not making an JS xhr call correct?
Do you receive a 200 in the reply?
If you check the dev console log and look at the response in the network tab do you see the Okta Session Cookie (sid) being removed? (This assumes it is an Okta Classic org)
For issues involving OAuth2/OIDC application or any of the Okta SDKs I recommend posting them at https://devforum.okta.com/