Approaches to achieving a working logout on iOS
sattaman opened this issue · 10 comments
Logout on iOS is problematic for us, due to additionalParameters: { prompt: 'login' } being ignored. I'm looking at the approaches I could take to get a working logout.
Previously, I had edited AppAuth-iOS to force the use of SFAuthenticationSession and then used react-native-safari-view to clear the authentication cookie. openid/AppAuth-iOS#182, but these customizations were lost during our last update and look more difficult now since the pod is now being pulled automatically.
Some possible solutions I was looking at:
-
Disable Pod install of AppAuth-iOS, include source manually and update as before.
-
Fork this and update the code to allow implementation as per the gist here which changes AppAuth to always use the SFSafariViewController https://gist.github.com/WilliamDenniss/18f3779b4a310361bb955cf4e534f29c (openid/AppAuth-iOS#209).
-
Fork this and add an iOS only method which will call out to the signout endpoint on iOS only. The issue with this is it looks like it opens with a prompt stating sign-in which doesn't look good. openid/AppAuth-iOS#461
I am currently thinking approach 2 looks to be the best, if I'm missing anything or anyone has any better suggestions please let me know!
Related to #68
I've got this working in a fork sattaman@c5bd351 . Would there be any way of allowing this customisation without forking? I have very little knowledge of objective c, and I guess you wouldn't want a flag being passed in to toggle this , but if you have any suggestions let me know :)
+1 I'd really like to see this resolved... When I revoke tokens I want the ability to actually log the user out / clear their session. When I add additionalParameters to my config... it doesn't even work.
Logout on iOS is problematic for us, due to
additionalParameters: { prompt: 'login' }being ignored.
I just got my iOS app configured for social auth using this library and AAD B2C only to discover that there is no way to log out. I've tried calling the logout endpoint. Is there documentation somewhere that explains that "prompt=login" is ignored on iOS?
@michaelburch I ended up implementing my own auth flow. you could also fix the issue described in bullet 2.
https://authguidance.com/2020/02/23/ios-code-sample-coding-key-points/ - They document option 3 I mentioned above here, its not great as the logout popup asks the user if they want to login , but it does work, and allows the user to share cookies with the normal browser. Alternatively, using the code from the fork above, and hitting the logout endpoint with this https://github.com/naoufal/react-native-safari-view works too (option 2)
Thanks for staying on top of this @sattaman! It'd be great if we could add support for this, but I'm not sure there what the best solution would be. Essentially, we need to hit the logout endpoint in the same browser that was used to sign in, so we either:
- use the logout functionality added to AppAuth-iOS (but it tells the user they're "signing in" even though they're signing out)
- use a custom browser for login and hit the logout endpoint outside of AppAuth-iOS
Neither option sounds ideal, really, but option 2 seems less bad? What do you think?
I'm guessing option 1 is probably the more accepted way of doing things (based on this comment I had upstream openid/AppAuth-iOS#209 (comment) and the example implementation I have seen on authguidance.com). We had some specific reasons which meant using SFSafariViewController was quite useful for us, although these have now disappeared and we may need to move to support single sign-on with Safari in the near future.
How are we getting on with this? I'm stuck with not being able to log out on IOS... even with a revocationEndpoint clearing all cookies for my session etc.
If you have Cognito you can try this: #68 (comment)