obot-platform · g-linville · Nov 25, 2025 · Nov 24, 2025 · Nov 24, 2025 · g-linville
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
@@ -84,15 +84,6 @@ func (s *Server) Wrap(f api.HandlerFunc) http.HandlerFunc {
 
 		user, err := s.authenticator.Authenticate(req)
 		if err != nil {
-			// Check if this is a FetchUserGroupsError which indicates an auth provider configuration issue
-			var fetchGroupsErr *gclient.FetchUserGroupsError
-			if errors.As(err, &fetchGroupsErr) {
-				http.Error(rw, fmt.Sprintf("Authentication provider configuration error: %s. Please contact an administrator to fix the auth provider configuration.", err.Error()), http.StatusInternalServerError)
-				return
-			}
-
-			http.Error(rw, err.Error(), http.StatusUnauthorized)
-
 			if errors.Is(err, proxy.ErrInvalidSession) {
 				// The session is invalid, so tell the browser to delete the cookie so that it won't try it again.
 				http.SetCookie(rw, &http.Cookie{
@@ -101,7 +92,19 @@ func (s *Server) Wrap(f api.HandlerFunc) http.HandlerFunc {
 					Path:   "/",
 					MaxAge: -1,
 				})
+				// Refresh the page so that the cookie deletes.
+				http.Redirect(rw, req, req.URL.String(), http.StatusFound)
+				return
 			}
+
+			http.Error(rw, err.Error(), http.StatusUnauthorized)
+
+			// Check if this is a FetchUserGroupsError which indicates an auth provider configuration issue
+			var fetchGroupsErr *gclient.FetchUserGroupsError
+			if errors.As(err, &fetchGroupsErr) {
+				http.Error(rw, fmt.Sprintf("Authentication provider configuration error: %s. Please contact an administrator to fix the auth provider configuration.", err.Error()), http.StatusInternalServerError)
+			}
+
 			return
 		}