After Logging out (Angular Okta SDK) able to log back in without password

Hi Okta,

I am using Angular Okta SDK for my application. When I trigger logout in my application using:

this.oktaAuth.signOut()

So what happens is when a user initially logs in they’ll need to enter their username and password. Then press logout button. I’ll call signOut() and then the user lands on the Okta login page but this time all they need to enter back in the application is their username.

Thanks,
Baljinder

Are you sure that method is being called? If they are being redirected back to the sign in page and not being asked to enter their password, then that means that the session is still active.

Did you follow this documentation? Sign users out of Okta | Okta Developer

@erin.p pretty sure.

As you can see in my snippet, it hits the method and then leads me off to the login page.

Are you seeing any errors after this.oktaAuth.signOut is called?

1 Like

none, but bearing in mind I won’t know if there is one in the SDK as the page is redirected to the login page.

Are they users logging in through an External IdP? Is that why they are only prompted for their username when they log in a second time?

@andrea Hmmm :slight_smile: that may be the case. I am not certain, waiting on a reply.

Due to us using single sign on for all our company applications, we’re most likely are?

If users are getting federated through an external provider (like Google, Facebook, Azure AD, etc), then while the application is able to log them out of their session with Okta (the signOut method does this by invoking the /logout endpoint), it is not going to end the user’s session at the user’s source IdP.

That means that the next time Okta goes to redirect the user to their external provider, the provider will still have a session for that user and they will be sent back to Okta immediately (or after a prompt, depending on the IdP) with a new Okta session created for them.

1 Like

Hi, I’m also facing the same issue. How do I sign out then in the case of external provider if not through this.oktaAuth.signOut?

At this time, there is no way to configure Okta to do so. Since each IdP is unique, you would need to design a solution to end the session at the IdP for each IdP you have in your org.

for us it is happening only in incognito mode, do you know why?

Hmm… not that I can think of. Could be something specific to your browser settings, but I would expect Incognito mode to be less likely to persist cookies and keep a user logged in than “regular” browsing mode

After you call signOut, what happens if the user accesses your Okta domain in another tab. Are they also able to get back in without being prompted to authenticate?

After I logout from our web application, the okta domain also logs out. I get redirected to okta signup page when I hit okta domain url. This happens in both incognito as well as in normal mode. But in incognito mode our application doesn’t fully logs out, when I enter my username or even someone else’s user name, it logs into application with my id without going through authentication screen.