Auth JS signout does not sign out user when using the third party IDP ?

[sandyboon]

Using @okta/okta-auth-js version 5.10.0. Auth flow - Auth Code with PKCE for SPA.

1. Add a third party Identity provider(Facebook) on your Okta Server following the below-linked instructions -https://developer.okta.com/docs/guides/add-an-external-idp/facebook/main/#about-the-connection-to-the-idp-for-your-application
2. In your client App use the following code to log your user in - authClient = new OktaAuth(this.OAuthConfig); authClient.start(); if (authClient.isLoginRedirect()) { authClient.token.parseFromUrl() .then(data => { // Store parsed token in Token Manager authClient.tokenManager.add("idToken", idToken); authClient.tokenManager.add("accessToken", accessToken); }); } else { authClient.tokenManager.get('idToken') .then(idToken => { console.log(idToken); if (idToken) { console.log(Hi ${idToken.claims.email}!); } else { // You're not logged in, you need a sessionToken authClient.token.getWithRedirect({ responseType: 'id_token' }); } }) }
3. Upon clicking the login button the user gets taken to the Facebook login page, where they put their credentials in, and then Facebook redirects to the Okta call back URL - https://dev-58264319.okta.com/oauth2/v1/authorize/callback?code=&state= Okta then redirects the to the redirect URI - http://localhost:1234/?code=&state=#=
4. authClient.token.parseFromUrl() can now parse the auth code from the URL and ask for the accessToken and idToken by making a POST request to the '/v1/token' token endpoint to the Okta server.
5. Sign out the user on the logout button click with the following code - authClient.stop(); await this.authClient.signOut();
6. You can see that the token manager has removed the access token and the id token from the local storage and you can also see the call to the revoke endpoint to revoke the access token.
7. Revisit your sign-in page again and try to log in. The login code doesn't redirect to the Facebook login page, it redirects to the redirectUri with state and code in the query string, the login code now can get the access token without the resource owner having to put in their credentials again.

[jaredperreault-okta]

@sandyboon Do you experience the same behavior if you call .signOut() before .stop()?

Like so:

await authClient.signOut();
authClient.stop();

[jaredperreault-okta]

Also, do you mind providing your OktaAuth config? (Please scrub sensitive fields)

[sandyboon]

@jaredperreault-okta Thanks for responding. I just tested it. I do experience the same behavior even if I call signout() before the stop(). The browser I am using is Chrome 97.0.4692.99.

Here is my OAuthConfig -

OAuthConfig = { OAuthType: "Okta", // Org URL issuer: "", // OpenID Connect APP Client ID clientId: "", // Trusted Origin Redirect URI redirectUri: "http://localhost:1234", signoutRedirectUri: "http://localhost:1234", devMode: true, };

[jaredperreault-okta]

It's unclear from the repro steps provided, was the user redirected to Facebook during the initial login? In Step 3, the user is logged out, but it's unclear how they had a session in the first place.

[sandyboon]

@jaredperreault-okta The user does get redirected to Facebook login page where they put in their credentials. I have updated the repro steps.

[jaredperreault-okta]

I notice your authClient.token.getWithRedirect call doesn't pass the idp option (docs). Mind retrying with that option set?

[sandyboon]

@jaredperreault-okta I am seeing the same behaviour even when I pass the idp option like so - authClient.token.getWithRedirect({ idp: "idp-identifier" });