CredentialsManager function to clear and revoke the refresh token

App/Assets.xcassets/AppIcon.appiconset/Contents.json

@@ -39,6 +39,11 @@
       "idiom" : "iphone",
       "size" : "60x60",
       "scale" : "3x"
+    },
+    {
+      "idiom" : "ios-marketing",
+      "size" : "1024x1024",
+      "scale" : "1x"
     }
   ],
   "info" : {

App/Base.lproj/Main.storyboard

@@ -1,10 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="11542" systemVersion="16B2555" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" useTraitCollections="YES" colorMatched="YES" initialViewController="BYZ-38-t0r">
-    <device id="retina4_7" orientation="portrait">
-        <adaptation id="fullscreen"/>
-    </device>
+<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="14868" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" useTraitCollections="YES" colorMatched="YES" initialViewController="BYZ-38-t0r">
+    <device id="retina4_7" orientation="portrait" appearance="light"/>
     <dependencies>
-        <plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="11524"/>
+        <deployment identifier="iOS"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="14824"/>
         <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
     </dependencies>
     <scenes>
@@ -99,6 +98,7 @@
                 </viewController>
                 <placeholder placeholderIdentifier="IBFirstResponder" id="dkx-z0-nzr" sceneMemberID="firstResponder"/>
             </objects>
+            <point key="canvasLocation" x="138" y="132"/>
         </scene>
     </scenes>
 </document>

Auth0/CredentialsManager.swift

@@ -84,10 +84,37 @@ public struct CredentialsManager {
     /// Clear credentials stored in keychain
     ///
     /// - Returns: if credentials were removed
+    @available(*, deprecated, message: "use clearAndRevokeToken(callback) instead")
     public func clear() -> Bool {
         return self.storage.deleteEntry(forKey: storeKey)
     }
 
+    /// Revokes the refresh token and, if successful, the credentials are cleared. Otherwise,
+    /// the credentials are not cleared and an error is raised through the callback.
+    ///
+    /// - Parameter callback: callback with an error if the refresh token could not be revoked
+    public func clearAndRevokeToken(_ callback: @escaping (CredentialsManagerError?) -> Void) {
+        guard
+            let data = self.storage.data(forKey: self.storeKey),
+            let credentials = NSKeyedUnarchiver.unarchiveObject(with: data) as? Credentials,
+            let refreshToken = credentials.refreshToken else {
+                self.storage.deleteEntry(forKey: self.storeKey)
+                return callback(nil)
+        }
+
+        self.authentication
+            .revoke(refreshToken: refreshToken)
+            .start { result in
+                switch result {
+                case .failure(let error):
+                    callback(CredentialsManagerError.revokeFailed(error))
+                default:
+                    self.storage.deleteEntry(forKey: self.storeKey)
+                    callback(nil)
+                }
+            }
+    }
+
     /// Checks if a non-expired set of credentials are stored
     ///
     /// - Returns: if there are valid and non-expired credentials stored

Auth0/CredentialsManagerError.swift

@@ -27,4 +27,5 @@ public enum CredentialsManagerError: Error {
     case noRefreshToken
     case failedRefresh(Error)
     case touchFailed(Error)
+    case revokeFailed(Error)
 }

Auth0Tests/CredentialsManagerSpec.swift

@@ -73,6 +73,64 @@ class CredentialsManagerSpec: QuickSpec {
             }
         }
 
+        describe("clearing and revoking refresh token") {
+
+            beforeEach {
+                _ = credentialsManager.store(credentials: credentials)
+
+                stub(condition: isRevokeToken(Domain) && hasAtLeast(["refresh_token": RefreshToken])) { _ in return revokeTokenResponse() }.name = "revoke success"
+            }
+
+            afterEach {
+                _ = credentialsManager.clear()
+            }
+
+            it("should clear credentials and revoke the refresh token") {
+                credentialsManager.clearAndRevokeToken {
+                    expect($0).to(beNil())
+                    expect(credentialsManager.hasValid()).to(beFalse())
+                }
+            }
+
+            it("should not return an error if there were no credentials stored") {
+                _ = credentialsManager.clear()
+
+                credentialsManager.clearAndRevokeToken {
+                    expect($0).to(beNil())
+                    expect(credentialsManager.hasValid()).to(beFalse())
+                }
+            }
+
+            it("should not return an error if there is no refresh token") {
+                let credentials = Credentials(
+                    accessToken: AccessToken,
+                    idToken: IdToken,
+                    expiresIn: Date(timeIntervalSinceNow: ExpiresIn)
+                    )
+
+                _ = credentialsManager.store(credentials: credentials)
+
+                credentialsManager.clearAndRevokeToken {
+                    expect($0).to(beNil())
+                    expect(credentialsManager.hasValid()).to(beFalse())
+                }
+            }
+
+            it("should return the failure if the token could not be revoked, and not clear credentials") {
+                stub(condition: isRevokeToken(Domain) && hasAtLeast(["token": RefreshToken])) { _ in
+                    return authFailure(code: "400", description: "Revoke failed")
+                }
+
+                credentialsManager.clearAndRevokeToken {
+                    expect($0).to(matchError(
+                        CredentialsManagerError.revokeFailed(AuthenticationError(string: "Revoke failed", statusCode: 400))
+                    ))
+
+                    expect(credentialsManager.hasValid()).to(beTrue())
+                }
+            }
+        }
+
         describe("multi instances of credentials manager") {
 
             var secondaryCredentialsManager: CredentialsManager!

README.md

@@ -214,6 +214,20 @@ credentialsManager.credentials { error, credentials in
 }
 ```
 
+#### Clearing credentials
+
+Credentials can be cleared by using the `clearAndRevokeToken` function. This function will attempt to revoke any associated refresh token that has been stored, before clearing the credentials from memory:
+
+```swift
+credentialsManager.clearAndRevokeToken { error in
+    guard error == nil else {
+        return print("Failed to clear credentials")
+    }
+
+    print("Credentials cleared")
+}
+```
+
 #### Biometric authentication
 
 You can enable an additional level of user authentication before retrieving credentials using the biometric authentication supported by your device e.g. Face ID or Touch ID.