Authenticating With Wrong Client Application

I want to make sure I don’t have a fundamental mis-understanding, but our scenario is this:

  1. We created a developer account and added an application
  2. Set up the application and effectively got it to work in a laravel environment with socialite
  3. (User2A) created a second developer account to make sure that someone with an okta session but no access to our app was handled appropriately
  4. (User2B) tried to then add that new user as a user in the application to give them access, it sent an invite and i had to create a new password (2 different accounts, same email)
  5. attempt to log in as that user and it authenticates but gives me an error that the user canceled the social login request

The Problem:
This ended up creating two user instances in the okta ecosystem that have the same email address, i know because i modified the passwords and can login to the separately based on password.

When I attempt to login to our app as User2B (the one with access) authentication fails.

When I attempt to login to our app as User2A (the one without access) authentication passes, but says the user canceled the login attempt.

This is pretty concerning that I am passing the App Client Id that I wish to login for, yet it is authenticating my user against a separate development account. Is this just a flaw in the development set up because they are both using the default idp?

It appears to only authenticate against the 1st instance of that user email even though it is the wrong client and therefore prevents them from ever reaching the app.

Please open a support ticket through an email to support@okta.com with this issue. One of our Support Engineers will be happy to troubleshoot this deeper with you.