Uncaught (in promise) AuthApiError - Not properly logging user out

Hi all,
I’m getting an error with okta-auth-js in my app when using the Firefox browser on windows. It appears to be working on chrome, safari, and edge.

What’s happening is I logout, get redirected properly to my login screen, but when I go to log in again it takes me right through, skipping the authentication step. My guess is the sessions are not properly getting cleared on logout.

I’m using version 5.6.0 from the cdn here.

I’m using MFA, prompting for factor every session.

I simplified my code to make it easier to troubleshoot:

        var config = {
          issuer: `https://${OKTA_ORG_URL}/oauth2/default`,
          clientId: OKTA_CLIENT_ID,
          redirectUri: REDIRECT_URI,
          postLogoutRedirectUri: POST_LOGOUT_URI,
          responseMode: 'fragment',
          pkce: true,
          // Configure TokenManager to use sessionStorage instead of localStorage
          //  I also tried removing this option with no change
          tokenManager: {
            storage: 'sessionStorage'
          restoreOriginalUri: async (oktaAuth, originalUri) => {
            window.location.href = HOME_URI;

        var authClient = new OktaAuth(config);
          if (authClient.isLoginRedirect()) {
            try {
              await authClient.handleLoginRedirect();
            } catch (e) {
          } else if (!await authClient.isAuthenticated()) {
           // is not authenticated
          } else {
            // User is authenticated


Thank you for any help!

Hey there! It does sound like the session is not getting cleared for whatever reason and therefore a browser specific issue… can you confirm whether or not the sid is cleared from storage on logout?

Thanks for looking into this!
I’m not certain where exactly that sid is located in storage. Where is the sid found?

I did try logging the session info using authClient.session.get() which works as expected on chrome, but firefox returns:
{ status: “INACTIVE” } whether I’m logged in or not.


While I’m not entirely sure how the code is structed internally, I do find it interesting that on chrome the revokeToken function is running and I can put a breakpoint to debug it, but on Firefox I believe the error is throw somewhere before this.

Very weird! I am testing on a Mac, but when logged in I am showing ACTIVE when calling AuthClient.session.get() on FireFox. When you log out, are tokens cleared in Firefox? You should be able to see those in Storage → Local Storage in the FireFox Dev Tools.

With Firefox on Mac I’m getting a valid session using the AuthClient.session.get() as well. Do you find that in the local storage - okta-cache ? I see entries there even after logging out.

On Mac/Firefox, after calling the signOut method and being redirected to my original url the AuthClient.session.get() is still returning a valid session. :frowning:

On chrome and edge, upon logging out I do not return a valid session from the same console log.

Any ideas?