User not assigned is not reprompted to reauthenitcate on log out

I am trying to implement OIDC in a Phoenix (Elixir) backend app. Everything works well, until I have a user who is not assigned to the app. When this happens and I go to the authorization path, the user is not reprompted to login. The user just receives the same error again (“User is not assigned to the client application.”)

My app is structured in a way where if no user is logged in, they get redirected to the authentication page, so in this case I have an infinite loop where I constantly get the “User not assigned” error.

I would like to have something like the OIDC /logout endpoint but I need an id_token for this and I don’t have it because the user has the access denied.

you should have a “callback” page, which analyzes respond from Okta, and if token is received then only let them in

I do have a callback page. If I don’t receive a token it redirects to the authorization page again. But I don’t get reprompted with the credentials on okta side, as the session is not forgotten. I need a way to delete okta session. This is why it keeps looping.

You can delete the current Okta session using the /sessions/me endpoint

I have tried that but I keep receiving a 404.

    "errorCode": "E0000007",
    "errorSummary": "Not found: Resource not found: me (Session)",
    "errorLink": "E0000007",
    "errorId": <error_id>,
    "errorCauses": []

Are you able to make the request from the browser side/frontend? Also, might need to set withCredentials to true.

I am only able to make the requests backend side.

Then I agree with phi1ipp that you probably want to add some validation on the /callback page to check if there are any errors in the response url.

You can also try redirecting to see if that will log the user out of Okta.

I do have validation in the /callback page. If an error is returned (in this case access_denied), then I redirect the user to the login page. But because there is an active session, the user is not prompted to input their credentials again, instead the error access_denied is returned again, thus creating an infinite redirection loop between the callback page and the Okta authentication page.

Hi Warren, If a user is not assigned to the application I don’t understand why you would want to redirect them to the login page. Even if they log in again, that will only result in the same “User is not assigned to the client application” result. You’ll end up at the same place with the additional step of logging in again.

It seems to me that if the user is not assigned to the app in Okta you need to handle that differently than an unauthenticated user and direct the user to some place where they can request access to the app, or simply display a message that they are not allowed to use the app, with options to open a support ticket or leave if they are not supposed to be there.

If all users should have access to the app then I think you need to figure out why the user is not assigned to the app and fix that.

1 Like