I could observe that closing the session has no effect on this behaviour. However, deleting all browser data did have an effect, i.e. when opening the 2nd url I then actually see the login page instead of just being redirected back instantly.
If you are already logged into Okta on your browser, the second idp provided will be ignored and tokens will returned for the idp/user that was already logged in.
If you are just testing this yourself, you can delete the ‘sid’ cookie that is set on your Okta domain, which is what the authorize call uses to check if a user is already logged in on that browser.
Can I disable that behaviour in Okta? Since we are calling the Okta authorize URL from a native app via a web-view I don’t think we can delete cookies…
Not that I know of, no. You could look to try deleting the cookie (ending the Okta session) via a CORS request before making the second authorize call (or any authorize call, if that’s the desired set up):
Yup, OIDC has a logout endpoint, but you need to redirect to it and pass the id token issued to the user with the session in that browser. It will achieve the same thing, removing that Okta ‘sid’ cookie.