Need authorization failure to return to the Login Page

Short problem description: With a successful login and then an authorization failure, the login page is bypassed and only the authorization failure page displays on subsequent logins attempts

Problem: With a successful login, I perform some authorization checks on the user’s claims/attributes to verify that the user is allowed into the system. If the authorization fails, I want to ensure the user is redirected to the login page from the authorization error page. Or, if they enter the login url, they see the login page. But since the user successfully logged in, the user is authenticated in okta and a SID cookie is created to represent the authenticated user.

So when the authorization fails and I redirect the user back to the login page from the error page, or, the user enters the URL to login, the Okta login page does not display due to the SID cookie and the code to perform the authorization is executed again, which fails again.

Is there a way to ensure that the login page displays for the user even when the SID cookie is present? I’ve tried to ‘revoke’ the Okta session and ‘logout’ the user with the OIDC endpoints. But neither work due to the SID cookie being present. I tried the ‘authorize’ prompt=login but I get a different ‘verify’ password dialog than the Okta login dialog. I did manually delete the SID cookie and this forces the login page to display again which is the behavior that I’m looking for.

Since the user still has an active session, you may want to look in closing it in their browser with this call: DELETE /api/v1/sessions/me

However, this can still lead to a situation where the user is unaware as to why they cannot access the application in question (the one throwing Authorization errors) and continues to try to login again and again. Is there a reason simply checking application assignment (which, if they are NOT assigned to the application will result in a rather explicit Authorization Error) is insufficient?