I'm using Google's GTMAppAuth to prompt users to log in and authorize access to their Google account. That much is working, and API calls work as expected.
What's not working is logging out. In the GTMAppAuth code, removing authorization is handled by setting the GTMAppAuthFetcherAuthorization instance to nil, so that the app can't make API calls for the user account.
Except, when you reauthorize, Google's authorization flow does not require a password to get authorization back. It shows a list of previously used accounts and asks which one you want. If you choose on one, voila, you're in! No need for a password. I have to ask the user's permission, but what if it's a different user? They can get in to the previous user's account, and I need to prevent that. For my app this is not an unusual scenario.
So how do I really log out, so that a password would be required to reauthenticate? I'm setting my own GTMAppAuthFetcherAuthorization to nil, and I'm making sure to remove Google's keychain entries, but still no password is required.
In the end the only thing that does what I need is to load Google's "logout" page, as described in another answer. Basically, load https://www.google.com/accounts/Logout.
I had thought that the approach would be to revoke the app's OAuth tokens, but that's not actually what I need. I can revoke them, but Google will then issue another one without requiring a password (or it might be the same key-- it doesn't really matter to me if no password is required). I gather that this is based on browser cookies, but since I'm using SFSafariViewController on iOS I can't inspect the cookies. Revocation is a waste of time if tokens will be reissued like this.
Loading the logout page seems like kind of a hack but it has the useful effect of clearing out whatever browser state allows resuming access without requiring a password from the user.
On iOS this could produce an annoying UI artifact of displaying a web view when the user didn't expect one. But it's easy to prevent that by presenting the SFSafariViewController in a way that keeps the web view hidden. I did it like this, but there are other approaches.
func logout(presentingViewController:UIViewController?) -> Void {
guard let presentingViewController = presentingViewController else {
fatalError("A presenting view controller is required")
}
let logoutUrl = URL(string: "https://www.google.com/accounts/Logout")!
let logoutVC = SFSafariViewController(url: logoutUrl)
logoutVC.delegate = self
presentingViewController.addChildViewController(logoutVC)
presentingViewController.view.addSubview(logoutVC.view)
presentingViewController.view.sendSubview(toBack: logoutVC.view)
logoutVC.didMove(toParentViewController: presentingViewController)
// Remove our OAuth token
self.authorization = nil
}
The delegate assignment is important. In the delegate, I implemented this to dismiss the SFSafariViewController as soon as the logout page loads:
func safariViewController(_ controller: SFSafariViewController, didCompleteInitialLoad didLoadSuccessfully: Bool) {
controller.didMove(toParentViewController: nil)
controller.view.removeFromSuperview()
controller.removeFromParentViewController()
}
So I understand that you want the user to have to re-enter their password no matter what.
In that case a sub- optimal strategy of revoking the access tokens and disconnecting the app from given account could work. See: https://github.com/google/GTMAppAuth/issues/9 which leads you to https://developers.google.com/identity/protocols/OAuth2InstalledApp#tokenrevoke with their REST api because it's not natively supported in the library you are using.
Aside from that, a better strategy could be to consider the usage of the Cocoapods GoogleSignIn as they natively support the revoking feature. See: https://developers.google.com/identity/sign-in/ios/disconnect
Sidenote: Google's auth flow is designed that way so users can return to the app as quickly as possible, and since most people don't share their phones with others, you wouldn't really have to revoke their certificates.
Hope this helped! Good luck :)
Related
Using this page: https://developers.google.com/identity/sign-in/web/sign-in
It's really easy to add a button to a page for a client side only login with Google.
On Clicking the button, the user is presented with a screen like this:
There are 2 ux_mode for this button: "popup" and "redirect":
https://developers.google.com/identity/sign-in/web/reference
My question is about ux_mode=popup specifically, where the originating page doesn't change, and all the login flow is handled in a separate popup window.
Imagine a good app is published. It seems like an attacker could clone the app, present it to a user. The user thinking it's good app would login and the attacker would have a way to grab a valid token from the user for good app.
Now I understand that in that mode (popup), the IDP (Google) will reject anything that doesn't come from an Origin that is not part of the explicit list of redirect URIs set in the configuration of the project.
But is that the only thing that prevents this? I have read again and again that one should not rely on CORS for the security. Also I'm not sure but it seems that it can be circumvented with a little bit of crafting.
Is there another aspect of the security of this login flow I am missing?
I do not know google implementation but from OAuth 2 point of view:
1/ "The user thinking it's good app" user should check the address bar and a green lock in his browser. It is considered as a users responsibility.
2/ you registered redirect uris which are checked when client is trying to get access token. So google will reject to generate and redirect users browser to malicious app with the token.
3/ browser will reject any communication between popup window and other webpages since they are not same origin. This is called same origin policy and is considered as important security feature of a browser.
In general: app location/uri/origin/domain (as you want) is what identifys your app and security is based on that.
Hope it helped.
I'm planning to switch an app from the old OAuth flow with the SFSafariViewController to the new flow with iOS 11's SFAuthenticationSession. Logging in isn't an issue, the transfer to the new API took me a few minutes to implement. However logging out has me baffled.
How?
I can't find any mentioning of wanting to offer the option of logging out anywhere in the docs. Using the old SFSafariViewController to invalidate the cookies? Nope, they're not shared anymore with SFAuthenticationSession. As soon as I restart the authentication session the user get's logged in automatically and there's no way out. So how to enable logging out? Or am I simply overlooking something completely obvious?
Update:
I found a "way that works" in a technical sense, but it's bonkers for the user: Open a new SFAuthenticationSession on the logout page that clears the cookie. But that means when logging out the alert view asks the user again whether he'd like to log in via the service. If yes is selected ("logging in"), the cookie clearing logout page is opened, the user has to manually dismiss the view, which can be caught by the completion handler and we know we can open the login view again.. displaying the login prompt to log out? I really don't like this solution.
Any ideas? Am I still overlooking a completely obvious solution?
Update 2: As no one has any clue about this issue so far, this is probably not an easy one. I have filed a suggestion with Apple via their report tool to either clarify how to handle this or build it into the API if not available. Will post if I get an answer.
Update 3: After pondering the issue a bit more we found another possible (although also unattractive) solution if you can influence the login page of the OAuth provider: make cookies very short lived. Then the login page can be opened without automatic log in. However this kills the whole purpose of sharing login sessions between apps.. and you need to be able to influence the login page.
Update 4: Since iOS 12 SFAuthenticationSession is deprecated and got replaced by ASWebAuthenticationSession. However ASWebAuthenticationSession does not change anything in regard to logging out. It's still not possible. Same issue as before.
With ASWebAuthenticationSession, setting .prefersEphemeralWebBrowserSession to true prior to calling .start() will force the user to enter credentials in the browser session. While not the same as logging out, this will allow a new user to login with different credentials when launching the next session.
Update November 2020: We used #react-native-community/cookies to clear cookies as a workaround. See the snipped below as an example.
import CookieManager from '#react-native-community/cookies';
CookieManager.clearAll().catch(e => alert("Error deleting cookies during logout"))
Previous answer from April 2020. This may be helpful for anybody struggling with this. I've spent few hours testing different options, going through apps and looking how they do it and reading forums/discussions.
I haven't find a way to programatically clear cookies and there is no documentation on Apple on this.
Using FB as an example. Logging out from Safari and deleting FB app doesn't help. Any app which is downloaded will not ask for login to FB if you logged in once before through ASWebAuthenticationSession or SFAuthenticationSession.
If users ask how to force login (even though it's not your problem as a developer) you can point them to: Settings -> Safari -> Advanced -> Website Data -> Remove All Website Data (or just the ones for the provider).
If your use case needs switching of users (like in my case where we use Azure AD and users share 1 phone) you have 2 options. A) Open ASWebAuthenticationSession with the logout endpoint (as mentioned, this is very weird UX). B) Open Safari as a separate app (not inside yours) and do login/logout there. Unfortunately, there is no way to redirect the user to your app after logout if the OAuth provider doesn't support redirect on logout.
It sucks because this prevents developers from creating nice experiences on iOS for use cases where a business needs to share device between multiple users and OAuth is used as identity provider.
One of the “best” solutions I have come across is to open a logout page in system Safari (not an SFSafariViewController). Because ASWebAuthenticationSession shares cookies reliably with Safari, the expired/deleted cookie then also affects the app.
See this GitHub page for more details.
It depends on which cookie stores your login info;
If it is a session cookie, then it is not shared with Safari as per https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
So, simply clear your local session, and the cookies will be cleared on the next app launch.
If not, and the cookie persists, then like Martin said above, you should open Safari (not SFSafariViewController) with your logout URL, then redirect back to your app.
Please let me know if you need more info. I have tested extensively with all 3 ways of authentication (ASWebAuthenticationSession, Safari, and SFSafariViewController).
For iOS 13.0 need to add SceneDelegate.swift for UISceneConfiguration
Also need to update appdelegate for UIScene implementation
Add UISceneSession Lifecycle
It is working fine this way SFAuthenticationSession issue resolved.
In one of our apps, we've already started using ASWebAuthenticationSession.
Our use case for this goes beyond just retrieving access and refresh tokens upon login. What I mean by this is, the same session cookie is used when opening the web app (whilst logged-in to the iOS app) in order to save the user from re-authenticating themselves again and again. Eventually, time comes when the user finally decides to log out of their account and may thereafter attempt to re-login again using a different account. Since the user's session cookie may still be alive by then, any re-login attempt only flashes the authentication screen momentarily, logging them in automatically back to their first account without giving them a chance to enter the credentials of the second account.
To really force the user to enter their credentials every time we present the authentication screen, we have to add to our Auth0 query params the prompt=login pair.
Here's what the URL would look like:
https://example.auth0.com/authorize?
client_id=abcd1234
&redirect_uri= https://example.com/callback
&scope=openid profile
&response_type=id_token
&prompt=login
You can find more info about this on this Auth0 doc: https://auth0.com/docs/authenticate/login/max-age-reauthentication
So here is my problem. I log in to my application, then log out of my application, but when I try to log in again, I get the screen in the link below.
Login Screen
As you can see, I don't get the opportunity to login with another user, which is what is intended.
What I tried to do was logout and then clear all the cookies in the logout using these following methods:
#IBAction func logout(sender: AnyObject) {
//Logged out here
let loginManager = FBSDKLoginManager()
loginManager.logOut()
//This is one method I tried
let appDomain = NSBundle.mainBundle().bundleIdentifier!
NSUserDefaults.standardUserDefaults().removePersistentDomainForName(appDomain)
//This is another method I tried
for key in NSUserDefaults.standardUserDefaults().dictionaryRepresentation().keys {
NSUserDefaults.standardUserDefaults().removeObjectForKey(key)
}
//And this is the last method I tried
var cookie: NSHTTPCookie
var storage: NSHTTPCookieStorage = NSHTTPCookieStorage.sharedHTTPCookieStorage()
for cookie in storage.cookies! {
var domainName: String = cookie.domain
var domainRange: Range = domainName.rangeOfString("facebook")
if domainRange.length > 0 {
storage.deleteCookie(cookie)
}
}
}
None of these seemed to solve my problem. The app is in "Development" mode in the Facebook Dev account so it might have something to do with this, but not totally sure. Does someone have any experience with this and know the solution to our problem, as shown in the image above.
The whole goal of Facebook login is to allow quick, seamless login into your Facebook account without having to re-enter credentials.
To achieve this, the Facebook SDK tries to leverage credentials that are already stored on the device, which may include:
login information from the Facebook app
cookies related to Facebook login in Safari (directly or via the SFSafariViewController)
system Facebook accounts
When you logout, you actually only have the Facebook SDK forget the credentials within the app (it clears the token). When you login again, it acts like the first time you did, and if it finds an existing user, it will use that (the Facebook SDK makes the — usually valid — assumption that there is a single person using the device, and they have a single Facebook account).
The current "favorite" path for the Facebook SDK (though that varies with SDK versions, iOS versions, and possibly other parameters) is SFSafariViewController, which shares cookies with Safari, not with your app.
If you want the user to completely log out on the device, they would then have to use the log out link within Facebook in Safari (or an SFSafariViewController).
If you want to do so programatically, you may open the following URL in Safari or an SFSafariViewController:
https://www.facebook.com/logout.php?next=[YourAppURL]&access_token=[ValidAccessToken]
You'll have to use a custom URL scheme to return to your app/exit the SFSafariViewController, though.
If you, as a user, want to see permissions request from Facebook again, you should remove the app from user's profile on Facebook.
When you are at settings screen, find your app and hit the cross button
I'm developing an internal app that will leverage our corporate Google Drive accounts and will be used on shared devices (iPads shared among teachers and students at school sites).
Is there a way to force GIDSignIn to require a password with each sign-in attempt? Right now, even after calling GIDSIgnIn.sharedInstance().signOut() (or GIDSignIn.sharedInstacne().disconnect()) the user doesn't need to enter their password the next time they access the app. That means, when the device is taken by the next user, they could very easily access the other user's account.
Am I missing something? Do I need to somehow clear the cookies store in the UIWebView that the GIDSignIn process uses?
Where available, the GIDSignIn login process uses a SFSafariViewController, not a UIWebView. It leverages the cookies (as well as passwords) stored in Safari, for a quicker login.
I don't think you would be able to clear such cookies. You should be able to force a Google log out, though, by opening https://www.google.com/accounts/Logout in an SFSafariViewController, though the interaction with the rest of your app may be a bit weird. See Logout link with return URL (OAuth) for a way to provide a return URL which you may try to use to control the process (you'll need to use an URL scheme to return, though).
Note that iOS may prompt to save login information, and then provide said login information to subsequent users. You'll need to disable that in Settings -> Safari -> AutoFill
There may be other ways of achieving it via configuration of the device, but iOS is not really designed for multiple users at the moment.
There are two Parse methods for reauthorizing a Facebook User (to gain additional permissions) in Parse (for iOS):
reauthorizeUser:withPublishPermissions:audience:block:
reauthorizeUser:withPublishPermissions:audience:target:selector:
Unfortunately, both of these methods are for publishPermissions. I am confused, because it seems that there is no way to add additional read permissions (i.e. Extended Profile Permissions) after the initial login.
Facebook advises that, when doing a general login (i.e. on app opening), you only ask for basic permissions, and then ask for extended permissions as needed, so as not to scare off the user.
So with Parse and Facebook for iOS, does this now mean that we need to ask for every single read permission that we may possibly need at initial login?
Overall it seems that the Parse documentation and framework seems to be lacking a lot of the Facebook instructions for login in various scenarios. We are directed to view the Facebook SDK, but everything there seems to apply to FBSession, and it is not clear which methods are replaced by Parse and which are needed in addition to Parse.
I, for example, have an app where the user can login to Parse via FB on app launch, but does not have to. If they do login, they are asked for only the basic permissions, as advised by FB. Then, should the user try to perform certain actions, they are asked for the permissions for that particular action. I have additional read permissions that need to be granted for the extended profile, as well as publish_actions.
Can anyone give me some direction in this case, or point me too a really thorough, up-to-date, example? The Parse FB Scrumptious example code looked promising to me at first, but it is severely outdated.
Thanks!
Apparently there are more than one way to do it. The easiest one I found using Parse for Android was like this:
Collection<String> publishPermissions = Arrays.asList("publish_actions");
ParseFacebookUtils.linkWithPublishPermissionsInBackground(user, myActivityOrFragment, publishPermissions, new SaveCallback() {...});
Which means that after logging in, you should call linkWithPublishPermissionsInBackground with your user reference and the new permission list. It will open a new Facebook window asking for that permission and link the result to your user.
This code I tested and it works. But seems that Parse is not that smart, some things it does automatically and some it does not. So after that you need to call something like:
ParseFacebookUtilities.linkInBackground(ParseUser, AccessToken)
To actually save it to the user on the server, otherwise, it would work only while the App is running.