There are two users with access to same app: user1 and user2.
User1 does authorize request to okta:
Okta prefills username field, user enters password, okta session is created.
And then user2 does authorize request to okta:
Even though login hint is passed different, okta does not ask user2 for credentials, it returns user1 session instead.
Is there a way to force okta to ask credentials in case different login_hint is provided?
As currently, to handle case, when different user wants to login without logging out first we need to call okta /api/v1/sessions/me to get current session and if it exists and username of current session does not match the one in login_hint terminate current session. Problem is, that we need to do this extra check for each authorization request, which basically means that we’re cutting our okta allowed traffic in half.