OpenID Connect RP-initiated logout not working as expected

Maria · April 9, 2020, 11:04am

Hi,

I tried to configure OpenID Connect RP-initiated logout with Spring Boot using the steps described on the Okta Blog: https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-options

However, if I sign in with a user then logout that user (using Okta /logout endpoint) and then try to sign in with the same user again, it will be automatically signed in without any request for the password. The expected behavior would be that after the user is logged out, if it tries to access the app again it would be prompted to log in.

It seems that the session of the user is still active after logout.

Inspect browser after first log in:

Inspect browser after log out and second log in:

What do you think might be the problem?

Thanks

phi1ipp · April 11, 2020, 2:40am

can you show your logout trace instead? are you sure that your Okta session is terminated on logout?

Maria · April 13, 2020, 10:52am

It seems that the Okta session is not terminated.

Should I be doing something more than it is presented on the Okta blog post that I linked in my question?

phi1ipp · April 13, 2020, 12:53pm

Well, looks OK to me, except I see 2 different okta domains in your trace. Do you use external IdP to sign your user in?

Maria · April 13, 2020, 12:57pm

Yes, the user is signed in through an OpenID Connect external IdP. This might be a problem?

phi1ipp · April 13, 2020, 2:49pm

I think it can easily be the missing piece. I can see from the logs that Okta redirects you to your IdP for re-authentication and as session is not destroyed on your IdP, you got signed back in automatically by your Okta tenant intralinks. You can easily validate that by manually closing the session with your IdP before trying to run log out scenario with your application.

Maria · April 13, 2020, 3:22pm

What should I do about that then so that my user can not log in without password after logout? There is a way of terminating the session for my Okta tenant when the logout is initiated?

system · January 24, 2024, 7:09pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
OpenID Connect Logout Options with Spring Boot Developer Blog Comments	36	7709	October 6, 2023
OIDC Web Application - Okta Logout Issue OAuth/OIDC	5	6998	October 29, 2018
Okta back channel initiated logout Questions	2	3063	October 3, 2022
After Logging out (Angular Okta SDK) able to log back in without password Questions	13	6024	February 13, 2024
Browser is not automatically closed after logout OAuth/OIDC	2	1791	February 15, 2024

OpenID Connect RP-initiated logout not working as expected

Related topics