@cdaniel7 It sounds like this application is not logging the user out of Okta (ending their Okta session in browser) when they sign out of the application.
Based on Flask-OIDC’s documentation, the logout() method it implements only clears the cookie set by the application, but not the one created by Okta when they user authenticated with Okta (also discussed here).
If you’d like to prevent users from logging back into your application without being prompted to re-authenticate with their Identity provider, you will need to change how sign out is being handled so it does both. I don’t see this built into Flask-OIDC (SLO is not directly supported in OIDC), but you can add this logic yourself.
Here’s what that sample is doing right now:
There are two ways you can end a user’s session in Okta from an OIDC application.
- Redirecting to the /logout endpoint.
- Calling DELETE on /sessions/me.
For OIDC applications, we typically recommend the first option. In the case of this application, this means that instead of redirecting the user to the home route of the application, you will instead redirect them to the logout endpoint. In this request, you will include two query parameters: id_token_hint (the user’s raw JWT ID token) and a post_logout_redirect_uri (where the user should be redirected once they are logged out of Okta, like the application home page). If you have access to the user’s raw ID token (which may or may not be possible, but see this SO post for a possible solution), you can use this endpoint. Note that if you do include the optional post_logout_redirect_uri that it MUST be whitelisted in the application within Okta (same as Login redirect URI).
The second option is a simple CORS request to delete the user’s Okta session. This will not redirect the user once complete, so using the existing redirection in the sample app is likely still desirable. This technique can be used if you for some reason cannot access the user’s ID token.
With either option implemented, you should see that if a user tries to log back into your application, they will be sent back to their IdP (Okta) to authenticate again.