Login/Register
SFAuthenticationSession/ASWebAuthenticationSession and logging out
Asked Answered
iosswiftoauthsfauthenticationsession
P

6

64

I'm planning to switch an app from the old OAuth flow with the SFSafariViewController to the new flow with iOS 11's SFAuthenticationSession. Logging in isn't an issue, the transfer to the new API took me a few minutes to implement. However logging out has me baffled.

How?

I can't find any mentioning of wanting to offer the option of logging out anywhere in the docs. Using the old SFSafariViewController to invalidate the cookies? Nope, they're not shared anymore with SFAuthenticationSession. As soon as I restart the authentication session the user get's logged in automatically and there's no way out. So how to enable logging out? Or am I simply overlooking something completely obvious?

Update: I found a "way that works" in a technical sense, but it's bonkers for the user: Open a new SFAuthenticationSession on the logout page that clears the cookie. But that means when logging out the alert view asks the user again whether he'd like to log in via the service. If yes is selected ("logging in"), the cookie clearing logout page is opened, the user has to manually dismiss the view, which can be caught by the completion handler and we know we can open the login view again.. displaying the login prompt to log out? I really don't like this solution.

Any ideas? Am I still overlooking a completely obvious solution?

Update 2: As no one has any clue about this issue so far, this is probably not an easy one. I have filed a suggestion with Apple via their report tool to either clarify how to handle this or build it into the API if not available. Will post if I get an answer.

Update 3: After pondering the issue a bit more we found another possible (although also unattractive) solution if you can influence the login page of the OAuth provider: make cookies very short lived. Then the login page can be opened without automatic log in. However this kills the whole purpose of sharing login sessions between apps.. and you need to be able to influence the login page.

Update 4: Since iOS 12 SFAuthenticationSession is deprecated and got replaced by ASWebAuthenticationSession. However ASWebAuthenticationSession does not change anything in regard to logging out. It's still not possible. Same issue as before.

Predestinarian answered 9/11, 2017 at 17:17 Comment(13)
Any progress on this, I'm in the same boat. Thinking of ditching SFAuthenticationSession and just use SFSavafiViewController but that is not a great solution.Megrim
Hi @iCediCe! Sadly no :( No reply by Apple so far.. But I'm still determined to get an answer though. I'll keep this post up to date as soon as I get any information on this.Predestinarian
Thank you. This is crazy though. I'm using AppAuth for login, I'm going to fork it and force it to use SFSavafiViewController even when SFSavafiViewController is available.Megrim
I'm running into the same situation with the Google Sign-in SDK, unfortunately. They recently switched to SFAuthenticationSession.Nikkinikkie
@RiverbayChris sadly I still didn't get any feedback.. so no news for this annoying topic..Predestinarian
Logout you should be performed on the authorisation service running in the browser which then redirects to the specified URL, much like you callout for authorisation. This would require a dedicated endpoint provided by the service, of course.Choiseul
Do you guys have any updates on that? I'm also on the same page as you, not being able to remove cookies and log out without having to show another ASWebAuthenticationSessionMistaken
No updates, sorry :( A colleague will attend WWDC soon and was tasked by me to inquire about that :DPredestinarian
Any update on this??Bunde
@JanBrinker did your colleague bring anything useful from WWDC about this?Toadstool
@JanBrinker even I am getting same issue login text on logout alert popup, any solution please. Thanks in advance.Romanist
Sorry no updates here. No news after WWDC and I still don't know how to fix or circumvent this :(Predestinarian
hey guys I am currently working on this and i have an idea to solve this problem first we have to use ASWebAuthenticationSession because it really simple and share the cookies with safari browser although in our case its useless because according to @MNassar " If it is a session cookie, then it is not shared with Safari " so save it in keychain use keychain AccessGroup if you wanna handle multiple apps. then on logout delete this information and ask your server side guys to provide you an API which you can call. Then they will handle remaining (server-side) logout business logic.Brendabrendan
N
7

With ASWebAuthenticationSession, setting .prefersEphemeralWebBrowserSession to true prior to calling .start() will force the user to enter credentials in the browser session. While not the same as logging out, this will allow a new user to login with different credentials when launching the next session.

Nu answered 18/9, 2020 at 20:57 Comment(1)
Combining this with a request to the logout endpoint to invalidate session in the server side is the best solution I found at the moment.Mylander
B
6

Update November 2020: We used @react-native-community/cookies to clear cookies as a workaround. See the snipped below as an example.

import CookieManager from '@react-native-community/cookies';

CookieManager.clearAll().catch(e => alert("Error deleting cookies during logout"))

Previous answer from April 2020. This may be helpful for anybody struggling with this. I've spent few hours testing different options, going through apps and looking how they do it and reading forums/discussions.

  1. I haven't find a way to programatically clear cookies and there is no documentation on Apple on this.
  2. Using FB as an example. Logging out from Safari and deleting FB app doesn't help. Any app which is downloaded will not ask for login to FB if you logged in once before through ASWebAuthenticationSession or SFAuthenticationSession.
  3. If users ask how to force login (even though it's not your problem as a developer) you can point them to: Settings -> Safari -> Advanced -> Website Data -> Remove All Website Data (or just the ones for the provider).
  4. If your use case needs switching of users (like in my case where we use Azure AD and users share 1 phone) you have 2 options. A) Open ASWebAuthenticationSession with the logout endpoint (as mentioned, this is very weird UX). B) Open Safari as a separate app (not inside yours) and do login/logout there. Unfortunately, there is no way to redirect the user to your app after logout if the OAuth provider doesn't support redirect on logout.

It sucks because this prevents developers from creating nice experiences on iOS for use cases where a business needs to share device between multiple users and OAuth is used as identity provider.

Babb answered 26/4, 2020 at 9:6 Comment(2)
Did you get any workaround ? I am also facing same issue.Switchblade
@JaswantSinghRajpurohit unfortunately not.Babb
T
2

One of the “best” solutions I have come across is to open a logout page in system Safari (not an SFSafariViewController). Because ASWebAuthenticationSession shares cookies reliably with Safari, the expired/deleted cookie then also affects the app.

See this GitHub page for more details.

Tamica answered 4/10, 2018 at 21:36 Comment(0)
H
2

It depends on which cookie stores your login info;

If it is a session cookie, then it is not shared with Safari as per https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

So, simply clear your local session, and the cookies will be cleared on the next app launch.

If not, and the cookie persists, then like Martin said above, you should open Safari (not SFSafariViewController) with your logout URL, then redirect back to your app.

Please let me know if you need more info. I have tested extensively with all 3 ways of authentication (ASWebAuthenticationSession, Safari, and SFSafariViewController).

Hematuria answered 23/7, 2019 at 10:43 Comment(1)
@shim, it really depends on how you stored it. In my case, I stored it in the keychain. Hence, I clear it from there.Hematuria
Y
2

In one of our apps, we've already started using ASWebAuthenticationSession.

Our use case for this goes beyond just retrieving access and refresh tokens upon login. What I mean by this is, the same session cookie is used when opening the web app (whilst logged-in to the iOS app) in order to save the user from re-authenticating themselves again and again. Eventually, time comes when the user finally decides to log out of their account and may thereafter attempt to re-login again using a different account. Since the user's session cookie may still be alive by then, any re-login attempt only flashes the authentication screen momentarily, logging them in automatically back to their first account without giving them a chance to enter the credentials of the second account.

To really force the user to enter their credentials every time we present the authentication screen, we have to add to our Auth0 query params the prompt=login pair.

Here's what the URL would look like:

https://example.auth0.com/authorize?
client_id=abcd1234
&redirect_uri= https://example.com/callback

&scope=openid profile
&response_type=id_token
&prompt=login

You can find more info about this on this Auth0 doc: https://auth0.com/docs/authenticate/login/max-age-reauthentication

Youlandayoulton answered 4/1, 2023 at 16:24 Comment(1)
Or use the OIDC logout URL and launch it with ASWeb. This would be the whole logic of logout button. In case the initial IdP needs to logout to another IdP (identity brokering), it could use the redirect_uri and use the logout URL of the other IdPAslant
S
-2

For iOS 13.0 need to add SceneDelegate.swift for UISceneConfiguration

Also need to update appdelegate for UIScene implementation

Add UISceneSession Lifecycle

It is working fine this way SFAuthenticationSession issue resolved.

Switchblade answered 9/11, 2017 at 17:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.