Trouble logging out of Authorization Server and IDP

Hi all,

We are currently implementing Single Sign-On for our web application.
Using the Authorization Code flow alongside the hub and spoke design (both being hosted by Okta).

The login flow works perfectly;

  1. User navigates to web application in browser
  2. redirected to Okta hub (where they must enter their email address as the username)
  3. redirected to Okta idP (where they must enter their corresponding password for the email address from step (2) )
  4. Authorization Code is retrieved
  5. Access Token is retrieved using Code
  6. User is then authenticated internally within our web application

The problem seems to be with logging out.

I have a logout function that logs a user out internally from the web application then also redirects to the Okta logout endpoint ‘/v1/logout’.

The issue that I’m seeing is when I attempt to login with User B, after logging out User A.
When I visit the web application, the authentication flow initiates as intended.

  1. User navigates to the web application in browser
  2. redirected to Okta hub (where User B enters their email address as a user-name)
  3. redirected to Okta spoke (where the idP automatically authenticates User B as User A?!? and the identity information for User A is returned)

Ultimately User B is logged into the web application as User A??

It seems that the idP session for User A is persisted and retrieved for any User.
How can I fix this? Is this a configuration issue?

Did you call the logout endpoint on the spoke?