OpenID Connect RP-initiated logout not working as expected


I tried to configure OpenID Connect RP-initiated logout with Spring Boot using the steps described on the Okta Blog:

However, if I sign in with a user then logout that user (using Okta /logout endpoint) and then try to sign in with the same user again, it will be automatically signed in without any request for the password. The expected behavior would be that after the user is logged out, if it tries to access the app again it would be prompted to log in.

It seems that the session of the user is still active after logout.

Inspect browser after first log in:

Inspect browser after log out and second log in:

What do you think might be the problem?


can you show your logout trace instead? are you sure that your Okta session is terminated on logout?

It seems that the Okta session is not terminated.

Should I be doing something more than it is presented on the Okta blog post that I linked in my question?

Well, looks OK to me, except I see 2 different okta domains in your trace. Do you use external IdP to sign your user in?

Yes, the user is signed in through an OpenID Connect external IdP. This might be a problem?

I think it can easily be the missing piece. I can see from the logs that Okta redirects you to your IdP for re-authentication and as session is not destroyed on your IdP, you got signed back in automatically by your Okta tenant intralinks. You can easily validate that by manually closing the session with your IdP before trying to run log out scenario with your application.

What should I do about that then so that my user can not log in without password after logout? There is a way of terminating the session for my Okta tenant when the logout is initiated?