Fix #26622: Suppress auto-redirect after explicit logout for SSO providers

[aji-aju]

Summary

• When enableAutoRedirect: true is configured with an SSO provider (e.g., Azure AD), clicking Logout navigates to /signin where auto-redirect immediately fires, re-authenticating the user via the still-active IdP session — making it impossible to stay logged out.
• Sets a sessionStorage flag (om_explicit_logout) before logout begins and checks it on /signin mount to suppress auto-redirect for that single visit.
• The flag is tab-scoped (new tabs still auto-redirect normally) and consumed on first read (subsequent visits to /signin in the same tab also auto-redirect normally).

Changes

File	Change
AuthProvider.tsx	Set om_explicit_logout flag in sessionStorage at the start of onLogoutHandler
SignInPage.tsx	Add isPostLogout memo that reads + consumes the flag; add && !isPostLogout to shouldAutoRedirect
SignInPage.test.tsx	New test: verifies auto-redirect is suppressed when the logout flag is present

Expected behavior after fix

Scenario	Result
Fresh visit (new tab)	Auto-redirect to SSO → seamless login
User clicks Logout → lands on /signin	Stays on /signin, shows SSO login button
User clicks "Sign in with Azure" after logout	Redirects to Azure AD (manual, user-initiated)
New tab after logout	Auto-redirect works (flag is tab-scoped)

Closes #26622

Test plan

• Unit test: should NOT auto-redirect after explicit logout — sets flag, renders with enableAutoRedirect: true + Azure, asserts onLoginHandler was NOT called and flag was consumed
• Existing test: SSO providers should auto-redirect when enableAutoRedirect is true — passes (no regression)
• Manual QA: Configure Azure AD SSO with enableAutoRedirect: true, log in, click Logout, verify staying on /signin
• Manual QA: Open new tab to OM, verify auto-redirect still works

🤖 Generated with Claude Code

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

Fixes the SSO logout loop when enableAutoRedirect: true by marking an explicit logout in tab-scoped sessionStorage and suppressing the one-time auto-redirect on the subsequent /signin mount.

Changes:

• Set a sessionStorage flag at the start of logout to indicate an explicit user logout.
• Read + consume that flag on /signin to suppress enableAutoRedirect for a single visit.
• Add a unit test to ensure auto-redirect is suppressed and the flag is consumed.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
openmetadata-ui/src/main/resources/ui/src/components/Auth/AuthProviders/AuthProvider.tsx	Sets the explicit-logout session flag during logout flow.
openmetadata-ui/src/main/resources/ui/src/pages/LoginPage/SignInPage.tsx	Reads/consumes the flag and gates shouldAutoRedirect to avoid immediate re-login.
openmetadata-ui/src/main/resources/ui/src/pages/LoginPage/SignInPage.test.tsx	Adds regression coverage for post-logout suppression behavior.

[Copilot]

isPostLogout is computed via useMemo with a side effect (removing the sessionStorage flag) during render. In React 18 StrictMode / concurrent rendering, render work can be invoked more than once or discarded, which can consume the flag before the committed render reads it—defeating the suppression and reintroducing the auto-redirect loop. Make the render phase pure: read the flag without mutating storage (e.g., via useState initializer or a pure useMemo), and consume/remove the flag in a useLayoutEffect (declared before the auto-redirect effect) or in an effect that runs after commit while keeping isPostLogout stable for the first commit.

[Copilot]

The sessionStorage key 'om_explicit_logout' is duplicated across AuthProvider, SignInPage, and the test. To prevent drift/typos and make the behavior easier to discover, consider extracting it into a shared constant (e.g., constants/auth.constants.ts) and importing it in all three places.

[Copilot]

sessionStorage.setItem(...) can throw (e.g., storage disabled, browser privacy modes, embedded/3rd-party contexts). Since this runs on every explicit logout, an exception here would prevent logout from completing. Wrap the storage write in a small try/catch (and proceed with logout even if it fails), ideally behind a helper shared with the /signin read path.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[gitar-bot]

Code Review ✅ Approved 1 resolved / 1 findings

Suppresses auto-redirect after explicit logout for SSO providers by replacing useMemo with useState lazy initializer to prevent the isPostLogout flag from being lost on re-render. No issues found.

✅ 1 resolved

✅ Bug: Side effect in useMemo may cause flag to be lost on re-render

📄 openmetadata-ui/src/main/resources/ui/src/pages/LoginPage/SignInPage.tsx:71-80
The isPostLogout value is computed via useMemo, which reads and removes the om_explicit_logout flag from sessionStorage. React does not guarantee memoized values are retained — the docs explicitly state "React may throw away the cached value and recalculate it later" (e.g., for offscreen trees in concurrent features). If React discards the cached value and re-runs the memo callback, the flag will already have been consumed, so isPostLogout flips to false and shouldAutoRedirect becomes true — re-triggering the exact auto-redirect this PR aims to prevent.

Using useState with a lazy initializer is the idiomatic and safe pattern here: the initializer is guaranteed to execute exactly once per mount, making the read-and-consume side effect reliable.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

[Copilot]

The storage key 'om_explicit_logout' is duplicated here and in SignInPage. To prevent future drift/typos (which would silently break the suppression logic), consider extracting it into a shared constant (e.g., in a constants/auth module) and reusing it in both places.

[Copilot]

This test writes to sessionStorage, which is shared state across the whole test file. Add explicit cleanup (e.g., remove the key in a finally block or clear storage in afterEach) so the suite stays isolated even if an assertion fails mid-test.

[Copilot]

sessionStorage.setItem(...) can throw (e.g., storage disabled, quota exceeded), which would abort the logout flow before invokeLogout() runs and could leave the app in a partially logged-out state. Wrap this flag write in a try/catch (and optionally guard for typeof window !== 'undefined') so logout remains reliable even if storage is unavailable.

Suggested change

	sessionStorage.setItem('om_explicit_logout', 'true');
	if (typeof window !== 'undefined' && window.sessionStorage) {
	try {
	window.sessionStorage.setItem('om_explicit_logout', 'true');
	} catch {
	// Ignore storage errors to ensure logout flow continues
	}
	}