Okta st.logout Redirect issue

Using Streamlit
, ,
1

Prior to upgrading my streamlit version on my server to the latest 1.53.1 I was at 1.46, and this st.logout would both sign me out and return me back to my url to reauthenticate, and now it only logs me out and displays this error:
400

Bad Request

Your request resulted in an error. The ‘post_logout_redirect_uri’ parameter must be a Logout redirect URI in the client app settings: {OKTA HOME PAGE URL REDACTED}

after inspecting the network request for this it appears that parameter is passing the /oauth2callback sub domain of my URL. Wondering how to instead pass this back to the landing page of my streamlit app.
On Okta my signin redirect uri is the https://****.com/oauth2callback and the signout redirect uri is https://****.com and the following is the template of my config toml and code:
.streamlit/secrets.toml:

[auth]
redirect_uri = "https://xxxxxx.com/oauth2callback"
cookie_secret = "xxx"
client_id = "xxx"
client_secret = "xxx"
server_metadata_url = "https://okta.com/oauth2/xxxxxxxxxxx/.well-known/oauth-authorization-server" 
client_kwargs = { "scope" = " all my groups", "prompt" = "login"}

Python 3.11

import streamlit as st

if not st.user.is_logged_in:
    if st.button("Log in"):
        st.login()
else:
    if st.button("Log out"):
        st.logout()
    st.write(f"Hello, {st.user.name}!")

Any help would be appreciated!

2

Welcome to the community and thanks for your detailed question! :tada: This is a known issue that appeared after Streamlit v1.48, where st.logout() started using the OIDC end_session_endpoint and, by default, sets post_logout_redirect_uri to the base of your redirect_uri (e.g., https://xxxxxx.com/oauth2callback), which may not match your Okta-allowed logout URLs (which expect https://xxxxxx.com). This mismatch causes the 400 error you’re seeing. The behavior and root cause are discussed in detail in Streamlit issue #12169 and Streamlit PR #11901.

Currently, Streamlit does not provide a built-in way to override the post_logout_redirect_uri parameter sent to your OIDC provider. The value is derived from your redirect_uri by stripping /oauth2callback, but this may not always match your Okta configuration. As a workaround, you can manually construct a logout URL for Okta and present it as a link or button in your app, or you can consider downgrading to 1.47.1 or earlier, where this issue does not occur. For more details and community discussion, see the Streamlit forum thread and the Streamlit documentation for st.logout.

Sources:

3

In streamlit issue 12693, it appears that this was fixed and isnt considered an error. Additionally the changes were recognized first in the 1.53 release notes. This leads me to strongly believe that the code is correct and not an error, but rather a new configuration or intended behavior is being used thats not being documented correctly in the docs for people to abide by. Hoping to get a response from someone who knows the new behavior of this st.logout in relation to what ive read in the attached issues summary here. Acknowledging these changes, id like to know what my options are besides reverting the streamlit version.