When redirecting a user through OpenID Connect & OAuth 2.0 API | Okta Developer, if their Okta session has already be killed they’ll be shown a JSON error page that looks like:
{
"errorCode": "E0000005",
"errorSummary": "Invalid session",
"errorLink": "E0000005",
"errorId": "oae4uSVaLVbRTOoRB_EsrXMWw",
"errorCauses": []
}
As obliquely mentioned in the error cases in the documentation. What I expected before testing was that if there wasn’t a session or a user who didn’t match the id_token was logged in, the browser would just be redirected back to the post logout redirect uri (assuming it was valid) without having killed the session.
What is this error for and as result of this happening, who is OIDC logout supposed to be used? This page is clearly unacceptable to ever show to an end user. We can’t avoid that by running this via a CORS request or in a hidden iframe since this page supports neither CORS calls or embedding unless we set our whole Okta org to be embeddable in an iframe. We don’t want this app to have full CORS access to Okta (or we’d just use Sessions | Okta Developer) so we can’t use Sessions | Okta Developer to check if the session still exists. Okta doesn’t support (Final: OpenID Connect Session Management 1.0) so we can’t easily use OIDC to continuously track if the user is still logged in. I suppose that on logout we could redirect the user through authorize again with prompt=none to check if there’s still a session to kill before sending the user through logout but that seems like a big hassle.
Am I missing something?