I have an application registered in Okta with federated authentication to my corporate AD. When logging in as user1 to my application , it re-directs to Okta login and my AD . Once authenticated I can see the cookie set by okta , access , id and refresh token allowing the app to work as expected.
Issue I have is with logout. In logout (angular) I am calling Okta revoke endpoint and revoking my access and id token and then calling the Okta logout API to terminate the session . Everything seems fine including the cookies (idx etc from okta domain) being deleted.
But in the same session if I now try to login as user 2 , it takes me to Okta login and once I give the user2 id , without the need to enter password/credential it takes me to the application as user1 itself (only thing I see is in the okta cookie “ln” shows my new user2, all the other information is still of user1.
Okta API on logout called are /revoke and /logout, I also clear localStorage.
What am I missing, similarly is my expectation when timeout happens, after timeout when the okta login screen is served by default the logged in user is available and it directly logs me in without the need for credential.
Not sure if this detail is relevant, but when user 1 is an AD user and user 2 is a virtual user created in Okta for testing the application I do not see this issue ie after logout from user 1 , when login screen is again presented and i enter test user user2 it asks for the credential and when provided with the credential, it correctly logs me in as user2.
Any help/pointer would be much appreciated.
Thanks