Logout of Okta from Cognito IdP

I have a standard web application and have setup Amazon Cognito as the primary identity provider. Additionally, in Cognito, I have enabled Okta as an upstream Identity Provider. This allows users to login with either a username and password managed by Cognito, or their account with my company’s enterprise Okta organization.

Cognito includes a logout endpoint for terminating SSO sessions at the Cognito level; this works fine for users who originally logged in with a Cognito username and password.

However, for users who logged in with an Okta id, my application never receives the ID token or access token issued by Okta; after successful authentication, Cognito issues its own ID token and access token that are passed back to the application.

I am aware that Okta does have a logout API endpoint; however, this API endpoint required the Okta-issued ID token in order to terminate the user’s Okta session.

Therefore, it is impossible for my application to properly logout a user because, upon successful logout from Cognito, Cognito is able to immediately authenticate the user again using the still-active Okta session.

How can I get the user’s Okta session terminated without knowing the ID token that Okta issued to Cognito?