Uncaught (in promise) AuthApiError - Not properly logging user out

Questions
1

Hi all,
I’m getting an error with okta-auth-js in my app when using the Firefox browser on windows. It appears to be working on chrome, safari, and edge.

What’s happening is I logout, get redirected properly to my login screen, but when I go to log in again it takes me right through, skipping the authentication step. My guess is the sessions are not properly getting cleared on logout.

image
image922×619 48.4 KB

I’m using version 5.6.0 from the cdn here.
https://global.oktacdn.com/okta-auth-js/5.6.0/okta-auth-js.min.js

I’m using MFA, prompting for factor every session.

image
image652×529 18.9 KB

I simplified my code to make it easier to troubleshoot:

        var config = {
          issuer: `https://${OKTA_ORG_URL}/oauth2/default`,
          clientId: OKTA_CLIENT_ID,
          redirectUri: REDIRECT_URI,
          postLogoutRedirectUri: POST_LOGOUT_URI,
          responseMode: 'fragment',
          pkce: true,
          // Configure TokenManager to use sessionStorage instead of localStorage
          //  I also tried removing this option with no change
          tokenManager: {
            storage: 'sessionStorage'
          },
          restoreOriginalUri: async (oktaAuth, originalUri) => {
            window.location.href = HOME_URI;
          }
        };

        var authClient = new OktaAuth(config);
          if (authClient.isLoginRedirect()) {
            try {
              await authClient.handleLoginRedirect();
            } catch (e) {
            }
          } else if (!await authClient.isAuthenticated()) {
           // is not authenticated
          } else {
            // User is authenticated
          }

  authClient.signInWithRedirect();

Thank you for any help!

2

Hey there! It does sound like the session is not getting cleared for whatever reason and therefore a browser specific issue… can you confirm whether or not the sid is cleared from storage on logout?

3

Thanks for looking into this!
I’m not certain where exactly that sid is located in storage. Where is the sid found?

I did try logging the session info using authClient.session.get() which works as expected on chrome, but firefox returns:
{ status: “INACTIVE” } whether I’m logged in or not.

Thanks!

4

While I’m not entirely sure how the code is structed internally, I do find it interesting that on chrome the revokeToken function is running and I can put a breakpoint to debug it, but on Firefox I believe the error is throw somewhere before this.

image
image1154×851 112 KB

5

Very weird! I am testing on a Mac, but when logged in I am showing ACTIVE when calling AuthClient.session.get() on FireFox. When you log out, are tokens cleared in Firefox? You should be able to see those in Storage → Local Storage in the FireFox Dev Tools.

6

With Firefox on Mac I’m getting a valid session using the AuthClient.session.get() as well. Do you find that in the local storage - okta-cache ? I see entries there even after logging out.

On Mac/Firefox, after calling the signOut method and being redirected to my original url the AuthClient.session.get() is still returning a valid session. :frowning:

On chrome and edge, upon logging out I do not return a valid session from the same console log.

Any ideas?