Logging out

[RaulMarquezInclan]

I have been trying to logout of the session using the logout endpoint.

I suppose when dealing with these flows they're all standardized no matter who the auth server provider is right?

What's the correct way to logout?

With the auth server I'm using, Okta, it says the following:

Note: When making requests to the /logout endpoint, the browser (user agent) should be redirected to the endpoint. You can't use AJAX with this endpoint.

I can construct the logout url just fine, but it just sends me to a 400 erro okta page.

This is the documentation:
https://developer.okta.com/docs/reference/api/oidc/#logout

Any ideas?

Thanks.

[mvolpato]

Sometimes the logout URL is different from what you expect:

  static String _baseUri = 'https://your-auth-provider.com';
  // This specific provider appends an additional path to the basicURI, for logout only. ¯\_(ツ)_/¯
  static String _additionalPathLogout = '/oauth2/v1';
  static String _callbackUriScheme = 'your.callback.uri.scheme';
  static String _logoutRedirectUri = '$_callbackUriScheme:/logout';

then

String token = 'your-token';
String url = '$_baseUri$_additionalPathLogout/logout?id_token_hint=$token&post_logout_redirect_uri=$_logoutRedirectUri';

finally

await FlutterWebAuth.authenticate(url: url, callbackUrlScheme: _callbackUriScheme);

[adambolcsfoldi]

Calling authenticate to log out on iOS, since the method uses ASWebAuthenticationSession, presents this system dialog that asks the user if they want to sign, which is confusing.

Or am I missing something/doing something wrong?

[mvolpato]

That is true.

I do not know about ASWebAuthenticationSession, with Okta this flow is needed, if you want to sign out of Okta, and not only revoke the token(s) for your app.

Maybe ASWebAuthenticationSession does not do that, and you can just revoke the token(s) and send the user to the login screen.

[adambolcsfoldi]

According to my research, if you just clear the token, the session would still remember the user for the next log-in.

Best I found so far was to use the flag [prefersEphemeralWebBrowserSession] (https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio?language=objc) (iOS >= 13).
When set to true it foregoes the alert dialog above, but also the browser doesn't have your logged-in state from e.g. Facebook.
Setting it to false when logging in, and true when logging out produces the desired behaviour: App Store-review compliant alert when logging in, but not when logging out.

[mvolpato]

Just to be clear (because you mention "clearing" tokens), I meant "revoke" tokens.

For instance, for Okta, you can have a look at this page for the difference.

[adambolcsfoldi]

Good point. We're using AWS Cognito, which seemingly does not have a way to revoke tokens.

We call their logout endpoint which does not invalidate any tokens, but only clears the state of their UI. This needs to happen in the same ASWebAuthenticationSession as the log-in occurred in.

[LinusU]

I don't think that there is a solution available here provided what the platforms give us. I'd be very happy to reopen this if someone can find a solution that is possible using iOS/Android native APIs! 🚀