Logout (what to clear)
- Clear your session — delete or invalidate your application session cookie and server-side session record.
- IdP logout (recommended when available) — if Intastellar provides an end-session or logout URL, redirect the user there with parameters from your integration reference (
id_token_hint,post_logout_redirect_uri,client_id, etc.) so SSO cookies on the identity domain are cleared. - Return URL — send the user to a public page on your site after logout completes.
Without step 2, the user may still be signed in to Intastellar and get a silent sign-in on the next authorize redirect.
Common authorize errors
error (typical) | Meaning |
|---|---|
invalid_request | Missing or invalid parameter (e.g. bad redirect_uri). |
unauthorized_client | Client not allowed for this flow or scope. |
access_denied | User cancelled or blocked consent. |
invalid_scope | Requested scope not allowed for the client. |
Always show a safe message to the user and log error_description server-side for your team.
Common token errors
error | Meaning |
|---|---|
invalid_grant | Code expired, already used, or redirect_uri / PKCE mismatch. |
invalid_client | Wrong client_id / client_secret. |
invalid_request | Malformed body or missing field. |
Authorization codes are usually single-use and short-lived. If the user double-submits the callback or you retry with the same code, expect invalid_grant.
React SDK and plain JS (popup)
- Popup blocked — the SDK opens a new window; browsers may block it. Allow popups for your origin, or use a flow that does not rely on
window.openif your product supports it. - Still “signed in” after portal logout — third-party cookies or IdP session can make
getUsers()return a user until IdP logout or cookie cleanup; see Sessions, cookies, and tokens.
Troubleshooting checklist
- Redirect URI matches the registered value exactly (scheme, host, path, no extra query).
statematches the value you stored for this attempt.- PKCE: same
code_verifierthat produced the sentcode_challenge. - Clock skew: server time correct for JWT
expvalidation. - CORS: token endpoint calls from the browser often fail by design — use your backend.
Happy-path detail: Authorization code flow.
Frequently asked questions
User says the popup is blank
Check popup blockers, mixed content (http page opening https popup issues), and console errors. Ensure your page sends iframe-token-received back to the popup when required — Plain HTML, CSS, and JavaScript.
“Invalid grant” every time
See token errors above — usually double use of the code or redirect_uri mismatch at exchange time.
We only want to sign out of our app, not Intastellar
You can clear only your session (step 1). Be aware the user may reappear signed in quickly on the next Intastellar redirect — that may be what you want, or not.
Last updated