Logout - third party cookies

Hey guys,
so I’m having this issue with logout in okta-react. It seems like Okta is unable to delete session if browser is blocking third-party cookies. Delete request to ‘{URL}/api/v1/sessions/me’ responds with 404 (Resource not found: me (Session)). I’m using logout method from withAuth HOC. What can I do to resolve this problem?

When I’ve seen a 404 in the past, it’s usually because I’m already logged out.

That’s definitely not this case. I’m 100% sure this has something to do with browser blocking third-party cookies. It seems like Okta needs to somehow interact with cookies to perform deletion of ‘{URL}/api/v1/sessions/me’. There are 2 cookies in my storage, “okta-oauth-nonce” and “okta-oauth-state”. Maybe Okta needs to read their values and TP cookies blocking makes this impossible? (not sure if TPCB prevents even reading or deletion of cookie)

I haven’t seen this behavior myself. I mostly use Chrome. Are you using a certain browser? If you configure that browser to accept 3rd party cookies, does it work?

I use Chrome as well. If I enable cookies it works. For example Safari blocks 3rd party cookies by default…

@machy92 yea same here. In my case, it was an issue with getting the session. After my SPA did a sign in with redirect (i.e. my session is now active), my app would get the token in the hash, but GET /api/v1/sessions/me from my app returned 404. Navigating directly to {mydomain}/api/v1/sessions/me in a new browser tab returned 200. Toggling “Block third-party cookies” to off fixed this for me.

Did anyone solve this?

I’m having same issue. The React app cannot log out fully (since the MYDOMAIN.okta.com domain cookies are still stored and can’t be cleared). I obviously do not have control over my users’ browsers to make sure they allow 3rd party cookies…

e.g. is there a page hosted in my okta domain that I can hit (say by a tab open or redirect) to clear those cookies while 3rd party cookies is disabled?

Any solutions around this? (other than enabling third party cookies or adding website as trustted one in browser)

I think it’s not a efficient solution. any code changes i can make?

You can try:
https://subdomain.okta.com/login/signout?fromURI=<post logout redirecturl>

thanks for reply @rajnadimpalli could you elaborate little bit more. if you have any reference links appreciable

Okta FAQ: https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment?language=de&_ga=2.215676432.681955182.1599684587-654599225.1597865375