Front-channel logout iframe not triggering session clear in React SPA

Summary

We are implementing front-channel Single Logout (SLO) across multiple applications sharing an Okta SSO session. We currently have a polling-based workaround to detect session termination, but it is expensive and not a viable long-term solution. We are looking for guidance on how to implement a proper front-channel SLO flow.

Current Behavior

We have two applications — App A and App B — both authenticated via Okta using the Authorization Code flow with PKCE (using @okta/okta-react).

When a user logs out of App A, we call oktaAuth.signOut(), which clears the Okta session on the server. However, App B remains in an authenticated state — it is unaware that the session has been terminated until the user takes an action that triggers a token validation.

To work around this, we currently poll every 5 seconds in a React hook (useSloLogout) using oktaAuth.tokenManager.renew('accessToken'). If the renewal fails (i.e., the Okta session no longer exists), we treat it as a logout signal and call signOut() in App B as well.

const pollInterval = setInterval(async () => {
    try {
        await oktaAuth.tokenManager.renew('accessToken');
    } catch {
        oktaAuth.signOut({ clearTokensBeforeRedirect: true });
    }
}, 5_000);

This approach works but is unacceptable in production due to:

• High frequency of unnecessary token renewal requests to Okta
• Increased load on Okta’s /token endpoint
• Poor scalability across many concurrent users
• Latency in detecting logout (up to 5 seconds)

Desired Behavior

We want to implement front-channel Single Logout (SLO) so that when a user logs out of App A, App B is notified and can perform a logout without polling.

Specifically, we are looking for guidance on:

1. Does Okta support front-channel logout as defined in the OpenID Connect Front-Channel Logout 1.0 spec?
2. If yes, how do we configure the front-channel logout URI in the Okta application settings, and what does the receiving endpoint in App B need to implement?
3. If not natively supported, is there an Okta-recommended front-channel mechanism (e.g., using session cookies, iframes, or post-message events) to propagate logout across applications without resorting to back-channel logout or polling?

We explicitly want to avoid back-channel (server-to-server) logout as our architecture favors browser-initiated flows. We are open to iframe-based approaches or browser-side session signaling if that is the recommended path.

Environment

Question

What is the recommended front-channel SLO approach for multiple Okta-integrated SPAs, and is there native platform support for the OIDC Front-Channel Logout spec that we can configure per application?

Hi,

Okta supports Front channel SLO - Configure Single Logout | Okta Developer

In short, Okta will send a request to your app SLO endpoint (configured in the app configuration on the Okta end), and your app should be able to receive the request and remove the tokens/session

Thanks, I’m aware Okta can trigger the app’s configured front‑channel SLO endpoint.
My issue is: when I sign out of App A, Okta does load/call App B’s SLO/logout URL (I can see it in the browser), but App B stays “logged in” because its local tokens/state (okta-auth-js tokenManager) are not being cleared automatically.

Is there a recommended front-channel-only way for a React SPA to react to that logout request and clear tokens/end session immediately (e.g., specific endpoint behavior, redirect vs iframe constraints, postMessage/BroadcastChannel pattern, etc.)—without polling and without any back-channel logout?

but App B stays “logged in” because its local tokens/state (okta-auth-js tokenManager) are not being cleared automatically - That is something the app would have to do on its own, either by polling or by back channel logout as you mentioned.

Are there any recommended polling methods?