Greetings, I’ve listed the steps below to recreate this issue – I don’t know if a solution is in place to ensure that redirects remain committed for the target application…If you have a pathway to correcting this issue, I would love to implement it.
I had been logged in to CompanyApp, which timed out and went to the log in screen.
I clicked Sign In, and the Sign In page re-loaded.
I started the recording.
I clicked in the Personal Email field just to ensure you could see my clicks, but I did not change anything.
I clicked Sign In again.
The app navigates to NewApp and gives me a 403 Forbidden error.
We also have video of this behavior if we can send that privately to someone on the team.
The reason why you might be getting this behavior is because when logging out of an application it will generally redirect to the first URL from the Allowed Logout URLs List ( see Allowed Logout URLs List Not Returning the Correct Value ).
Redirects can be set accordingly after a user signs in or signs out of an application.
After a user signs is, you will have to make sure that the redirect_uri parameter is used properly as a callback URL. For this you can check out the Redirect Users after login documentation.
You can also implement a returnTo URL query string parameter. Our documentation on the matter - Redirect Users with Alternative Logout mentions that you can redirect users to a specific URL.
You can check out this community articles about this: