Session miss match express-openid-connect

I’m using express-openid-connect to manage authentication and maintain sessions in our Node.js application.

Currently, when both our app session and the Okta session are valid, everything works fine. However, when the session on our side expires, we use the isAuthenticated function from the package to check for a valid session. If it returns false, we redirect the user to the login page.

On the login page, when the user enters their email in login page, we call the login flow using /login. We get redirected to okta login Since there’s already an active session on the Okta side, it automatically grants a new token and redirects back to our app—even if the user enters a different email than the one associated with the Okta session. This causes a mismatch where a different user ends up being logged in.

What I want to do is: when our app loads and detects no valid session on our side, check if there is still a valid Okta session, and if so, redirect to Okta to silently refresh the session or prompt a proper login.

How can I achieve this with express-openid-connect?

Hello,

You can use the sessions methods to check if there is any existing Okta session to handle the use case.

Alternatively, the other workaround would be to call the logout endpoint once the session on your expires. This will revoke all tokens from Okta and expire all the sessions on Okta side, so the user will have to login again

I tried calling the method https://{customdomain}/api/v1/sessions/me, but previously it was returning a 404.

According to the docs, the request expects a Cookie header like:

Cookie: sid=abcde-123 or idx=abcde-123

Where can I get this sid from? Is it available as oidc.user.sid? I’m assuming this value comes from the session established after the JWT token is issued.

Also, what happens if the user manually deletes this cookie or token? Will the /sessions/me endpoint then return a 404 or something else?