New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I signout an user completely ? #47
Comments
AFAIK, programmatic token revocation is not part of the spec... though a specification is proposed: https://tools.ietf.org/html/rfc7009 Since AppAuth-iOS doesn't provide any form of token persistence, presumably you are managing your own tokens. Simply forget the old tokens. If your particular OAuth Operating Party supports token revocation, and you'd like to revoke the user's tokens during a sign-out, then you'll have to make whatever non-standard RPC call is required on your own. DISCLAIMER: Everything I've said may be completely wrong ;) Will let William reply. But I think that's about right? Maybe? |
Forgetting the tokens is not enough, because the cookies in the browser still remain. OIDServiceConfiguration *configuration =
[[OIDServiceConfiguration alloc]
initWithAuthorizationEndpoint:endSessionEndpoint
tokenEndpoint:tokenEndpoint]; |
@nubbel and for anyone visiting this issue; Keep in mind, any requests made via AppAuth won't modify the browser's cookie jar. The issue here is an OP-specific issue. It just so happens that the browser's session is affected indirectly via whatever endpoint you're calling... (the server has invalidated whatever session the browser's cookies are referencing, for example.) In this case, I'd encourage you to make whatever request you need to make to their "end_session_endpoint" on your own, without abusing the authorizationEndpoint parameter since this solution may break your application moving forward if the OP or AppAuth were to make changes which happened to stop this from working. Also, it seems like; and I could be totally wrong here since I know nothing about your OP; that this solution will always sign out the user in the browser during authorization. This could present a number of problems, but, notably; It kills one of the most compelling reasons a user uses federated auth in the first place; it's easy and prevents them from having to constantly enter usernames and passwords. Not to mention; just launching the flow (say the user doesn't complete it) has resulted in the user getting signed out of the OP... which they probably didn't expect if they are using the OP in their browser. Just my $0.02. But I'm glad you've found a solution (or, at least are aware of what the exact problem is.) |
Hi Everyone, Do you know if there is any "end_session_endpoint" for Google's OAuth? I know it is possible to sign out a user completely using "Google Sign-In for iOS" library: https://goo.gl/XVQvdv Thanks, |
https://tools.ietf.org/html/rfc7009#section-2.1 isn't it describe token revocation ? If I understood correctly, JS version implements it, : |
For those who use Identity server 3-4 and wants to log out, in swift. On server side we have connect/endsession basically the same process as login....
|
is there any news? thanks in advance |
Hi we are using Keycloak in our app , Authentication is happening properly when we try second time it is not showing login page in safari instead it is taking a last user data without typing and providing a result , any idea how to clear a session |
Hi everyone, Here is my complete code.
` Can anyone have better solution? |
@tiwariammit try to create And call smth like this: |
@starssoftit I solved my problem. |
hello, |
Hi Everyone,
The user case is user want to login with other account, and I have to logout the current user, How can I do it with the lib ?
Thanks.
The text was updated successfully, but these errors were encountered: