I'm planning to switch an app from the old OAuth flow with the SFSafariViewController to the new flow with iOS 11's SFAuthenticationSession. Logging in isn't an issue, the transfer to the new API took me a few minutes to implement. However logging out has me baffled.
How?
I can't find any mentioning of wanting to offer the option of logging out anywhere in the docs. Using the old SFSafariViewController to invalidate the cookies? Nope, they're not shared anymore with SFAuthenticationSession. As soon as I restart the authentication session the user get's logged in automatically and there's no way out. So how to enable logging out? Or am I simply overlooking something completely obvious?
Update:
I found a "way that works" in a technical sense, but it's bonkers for the user: Open a new SFAuthenticationSession on the logout page that clears the cookie. But that means when logging out the alert view asks the user again whether he'd like to log in via the service. If yes is selected ("logging in"), the cookie clearing logout page is opened, the user has to manually dismiss the view, which can be caught by the completion handler and we know we can open the login view again.. displaying the login prompt to log out? I really don't like this solution.
Any ideas? Am I still overlooking a completely obvious solution?
Update 2: As no one has any clue about this issue so far, this is probably not an easy one. I have filed a suggestion with Apple via their report tool to either clarify how to handle this or build it into the API if not available. Will post if I get an answer.
Update 3: After pondering the issue a bit more we found another possible (although also unattractive) solution if you can influence the login page of the OAuth provider: make cookies very short lived. Then the login page can be opened without automatic log in. However this kills the whole purpose of sharing login sessions between apps.. and you need to be able to influence the login page.
Update 4: Since iOS 12 SFAuthenticationSession is deprecated and got replaced by ASWebAuthenticationSession. However ASWebAuthenticationSession does not change anything in regard to logging out. It's still not possible. Same issue as before.
With ASWebAuthenticationSession, setting .prefersEphemeralWebBrowserSession to true prior to calling .start() will force the user to enter credentials in the browser session. While not the same as logging out, this will allow a new user to login with different credentials when launching the next session.
Update November 2020: We used #react-native-community/cookies to clear cookies as a workaround. See the snipped below as an example.
import CookieManager from '#react-native-community/cookies';
CookieManager.clearAll().catch(e => alert("Error deleting cookies during logout"))
Previous answer from April 2020. This may be helpful for anybody struggling with this. I've spent few hours testing different options, going through apps and looking how they do it and reading forums/discussions.
I haven't find a way to programatically clear cookies and there is no documentation on Apple on this.
Using FB as an example. Logging out from Safari and deleting FB app doesn't help. Any app which is downloaded will not ask for login to FB if you logged in once before through ASWebAuthenticationSession or SFAuthenticationSession.
If users ask how to force login (even though it's not your problem as a developer) you can point them to: Settings -> Safari -> Advanced -> Website Data -> Remove All Website Data (or just the ones for the provider).
If your use case needs switching of users (like in my case where we use Azure AD and users share 1 phone) you have 2 options. A) Open ASWebAuthenticationSession with the logout endpoint (as mentioned, this is very weird UX). B) Open Safari as a separate app (not inside yours) and do login/logout there. Unfortunately, there is no way to redirect the user to your app after logout if the OAuth provider doesn't support redirect on logout.
It sucks because this prevents developers from creating nice experiences on iOS for use cases where a business needs to share device between multiple users and OAuth is used as identity provider.
One of the “best” solutions I have come across is to open a logout page in system Safari (not an SFSafariViewController). Because ASWebAuthenticationSession shares cookies reliably with Safari, the expired/deleted cookie then also affects the app.
See this GitHub page for more details.
It depends on which cookie stores your login info;
If it is a session cookie, then it is not shared with Safari as per https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
So, simply clear your local session, and the cookies will be cleared on the next app launch.
If not, and the cookie persists, then like Martin said above, you should open Safari (not SFSafariViewController) with your logout URL, then redirect back to your app.
Please let me know if you need more info. I have tested extensively with all 3 ways of authentication (ASWebAuthenticationSession, Safari, and SFSafariViewController).
For iOS 13.0 need to add SceneDelegate.swift for UISceneConfiguration
Also need to update appdelegate for UIScene implementation
Add UISceneSession Lifecycle
It is working fine this way SFAuthenticationSession issue resolved.
In one of our apps, we've already started using ASWebAuthenticationSession.
Our use case for this goes beyond just retrieving access and refresh tokens upon login. What I mean by this is, the same session cookie is used when opening the web app (whilst logged-in to the iOS app) in order to save the user from re-authenticating themselves again and again. Eventually, time comes when the user finally decides to log out of their account and may thereafter attempt to re-login again using a different account. Since the user's session cookie may still be alive by then, any re-login attempt only flashes the authentication screen momentarily, logging them in automatically back to their first account without giving them a chance to enter the credentials of the second account.
To really force the user to enter their credentials every time we present the authentication screen, we have to add to our Auth0 query params the prompt=login pair.
Here's what the URL would look like:
https://example.auth0.com/authorize?
client_id=abcd1234
&redirect_uri= https://example.com/callback
&scope=openid profile
&response_type=id_token
&prompt=login
You can find more info about this on this Auth0 doc: https://auth0.com/docs/authenticate/login/max-age-reauthentication
I am currently using a SFSafariViewController to log users in the uber api. SFSafariViewController does not give you access to delete the uber cookies manually after logging out.
I have read this issue : How to remove access token from uber API while logout?
My problem is the I can login and logout with a first user. I can login with a second user but it shows me the name of the previous user.
I revoke the tokens properly and than call the link https://riders.uber.com/logout.
I was wondering if there was a way for the call https://riders.uber.com/logout to clear the cookies set from the previous login attempt. If the page itself could clear the cookie while loading or if there was a query parameter I could give it to clear it.
This would allow me to use SFSafariViewController directly without doing custom WebView/Cookie management implementation.
Could it just be a bug in the logout uber page not clearing the auth/sessions cookies properly ?
You can redirect to https://login.uber.com/logout to force the logout across all uber properties.
I am currently getting an issue after an ASP.NET MVC 4 site is rebuilt that I was not getting previously.
We log in to a 3rd party site that redirects to our site with an authentication payload. A Session_Start is hit and the payload is successfully processed and a Session variable with the users details is created. We then do a RedirectToAction to send the user to another page.
On the first login after the site has been rebuilt Session_Start is hit again and a new Session is being created on the Redirect where previously it was not doing this. As our site checks for and treats an invalid session as being incorrect it sends the user back to the 3rd party site to log in again. When next they login they do not get this issue.
This looks to be happening when the site recycles as well. It only occurs for the very first user that logins to the site after its been rebuilt.
This only began happening in the last 2 weeks and I have reviewed any changes that went into the site in that time but could not find an obvious cause of the issue.
Any help would be appreciated.
I've searched around and there doesn't seem to be a non-hacky way to clear the user credentials from the browser using basic authentication.
I'm building a WebAPI with an HTML client that accepts username/password - if the user logs in, they should certainly be able to log out as well, or the system should automatically log out after a certain time period.
Is there any standard way to accomplish this with Basic Auth (over SSL), or should I start looking into other forms of authentication?
Edit: looking into the SimpleMembershipProvider, would there be anything "wrong" with extending the Membership table with an "IsLoggedIn" property that I can toggle and check with every request? If they click logout, then I redirect to the login page and return 401 Unauthorized unless they submit their credentials again. Does this sound ok?
No. Until the time the browser is closed, credentials are cached by the browser. There is no non-hacky way to clear the credentials. Check this out.
I have a web application running on Spring Webflow with Spring Security. I have a problem logging out because my app kinda remembers the last page after logging out. When I press back or directly paste the URL to the address bar it can direct the page to the login page, but if I login it will go directly to the last page I went to before logging out. It tends to remember its last state. Below is my application-config snippet.
<security:logout logout-url="/logout.do" invalidate-session="true"
logout-success-url="/logoutSuccess.do" />
Link in my page
#{label.labellogout}
The expired-url attribute
The URL a user will be redirected to if they attempt to use a session which has been "expired" by the concurrent session controller because the user has exceeded the number of allowed sessions and has logged in again elsewhere. Should be set unless exception-if-maximum-exceeded is set. If no value is supplied, an expiry message will just be written directly back to the response.
Sounds like your session is still valid after an Logout. try to make it invalid after logout.
Text is from:
Spring Doc
Not sure that I correctly understand your problem but:
B.1.1.4. session-fixation-protection
Indicates whether an existing session should be invalidated when a user authenticates and a new session started. If set to "none" no change will be made. "newSession" will create a new empty session. "migrateSession" will create a new session and copy the session attributes to the new session. Defaults to "migrateSession".
If enabled this will add a SessionFixationProtectionFilter to the stack. The session fixation protection options on namespace-created instances of AbstractProcessingFilter will also be set appropriately.
Can be read here link