Groups not implementing correctly


I have created 2 different applications and assigned 2 different groups to each.
I then created 2 login forms for each application, in the code of each giving respective redirect URI and clientId.

Unfortunately i am able to login to both the applications using the email IDs that do not belong to the group assigned to each of them.

So if snigdha is assigned to app1, sagar is assigned to app2.

I am still able to login to app1 using sagar’s email ID.

The code i am using in the frontend application is

When you log into the Okta Developer Console, and view your applications, do you see your user sagar listed in each one?

Nope, user sagar is listed only in app2.

Can you tell me what is going on in your success handler?

My guess is you are going into the else statement because you don’t get tokens for that application. Okta is still creating a session because you successfully logged into the org, but you won’t get application tokens.

Can you confirm?