We use @okta/okta-auth-js 4.7 and @okta/okta-react 4.6 Okta SDKs in our application for authentication. On login, ‘okta-token-storage’, and ‘okta-cache-storage’ gets added to localStorage by SDKs, and deleting them would log out of the application and redirect to the login page.
Since these versions are deprecated we have upgraded these two packages to the latest versions i.e., @okta/okta-auth-js 7.2.0 and @okta/okta-react 6.7.0 in which, clearing the ‘okta-token-storage’ explicitly from the local storage is not directly back the user to login page. Earlier with older versions, this was the case. Did something change from Okta SDK w.r.t this functionality?
We have a separate logout button in our UI that calls the SDK’s sign-out method, which works fine
The clearing of ‘okta-token-storage’ from the local storage is added as part of our post deployments tests in which we are facing the above-mentioned issue
You may want to rethink the deployment tests. You never should have been checking for that behavior.
The point of clearing local storage of tokens is to force the application to request new tokens when it needs them, not to land at the login page. It never has been, even in v4 although you could get that behavior. If the application requests a new token and the browser still has a valid Okta session, you should not land at the login page, a new token should be granted without the user noticing.
To abandon the session the “sid” cookie in Okta Classic or the “idx” cookie in Okta Identity Engine needs to be cleared. But that isn’t a cookie on your app, it’s a cookie on the org URL. And that is what the sign out does, it redirects the browser through Okta, clears the cookie, and lands on the logout URL you have configured for the application. Which may redirect you right back to authentication, but it doesn’t have to; lots of applications have a non-logged-in landing page.