How can I signout an user completely ?

[dongmai]

Hi Everyone,

The user case is user want to login with other account, and I have to logout the current user, How can I do it with the lib ?

Thanks.

[StevenEWright]

AFAIK, programmatic token revocation is not part of the spec... though a specification is proposed: https://tools.ietf.org/html/rfc7009

Since AppAuth-iOS doesn't provide any form of token persistence, presumably you are managing your own tokens. Simply forget the old tokens.

If your particular OAuth Operating Party supports token revocation, and you'd like to revoke the user's tokens during a sign-out, then you'll have to make whatever non-standard RPC call is required on your own.

DISCLAIMER: Everything I've said may be completely wrong ;) Will let William reply. But I think that's about right? Maybe?

[nubbel]

Forgetting the tokens is not enough, because the cookies in the browser still remain.
Our identity provider (keycloak) offers an end_session_endpoint. We managed to perform a proper logout in our app by abusing the authorizationEndpoint parameter:

OIDServiceConfiguration *configuration =
    [[OIDServiceConfiguration alloc]
        initWithAuthorizationEndpoint:endSessionEndpoint
                        tokenEndpoint:tokenEndpoint];

[StevenEWright]

@nubbel and for anyone visiting this issue; Keep in mind, any requests made via AppAuth won't modify the browser's cookie jar. The issue here is an OP-specific issue. It just so happens that the browser's session is affected indirectly via whatever endpoint you're calling... (the server has invalidated whatever session the browser's cookies are referencing, for example.)

In this case, I'd encourage you to make whatever request you need to make to their "end_session_endpoint" on your own, without abusing the authorizationEndpoint parameter since this solution may break your application moving forward if the OP or AppAuth were to make changes which happened to stop this from working.

Also, it seems like; and I could be totally wrong here since I know nothing about your OP; that this solution will always sign out the user in the browser during authorization. This could present a number of problems, but, notably; It kills one of the most compelling reasons a user uses federated auth in the first place; it's easy and prevents them from having to constantly enter usernames and passwords. Not to mention; just launching the flow (say the user doesn't complete it) has resulted in the user getting signed out of the OP... which they probably didn't expect if they are using the OP in their browser.

Just my $0.02. But I'm glad you've found a solution (or, at least are aware of what the exact problem is.)

[gkopel]

Hi Everyone,

Do you know if there is any "end_session_endpoint" for Google's OAuth?
I haven't found it in their openid configuration: https://accounts.google.com/.well-known/openid-configuration and anywhere else so far.

I know it is possible to sign out a user completely using "Google Sign-In for iOS" library: https://goo.gl/XVQvdv
I just wonder if we can use any workaround to get the same effect using AppAuth library.

Thanks,
Greg.

[atkit]

https://tools.ietf.org/html/rfc7009#section-2.1 isn't it describe token revocation ?

If I understood correctly, JS version implements it, :
openid/AppAuth-JS#19

[ugenlik]

For those who use Identity server 3-4 and wants to log out, in swift. On server side we have connect/endsession basically the same process as login....

        let endSessionUrl = issuer.appendingPathComponent("connect/endsession")
        
        let config = OIDServiceConfiguration.init(authorizationEndpoint: endSessionUrl, tokenEndpoint: endSessionUrl)
        
        let request = OIDAuthorizationRequest(configuration: config,
                                              clientId: clientID,
                                              clientSecret: secret,
                                              scope: "openid offline_access",
                                              redirectURL: redirectURI,
                                              responseType: OIDResponseTypeCode,
                                              state: nil,
                                              codeVerifier: nil,
                                              codeChallenge: nil,
                                              codeChallengeMethod: nil,
                                              additionalParameters: nil)

//then
OIDAuthState.authState(byPresenting: request, presenting: viewController) { authState, error in
            
        }

[razan1994alali]

Hi Everyone,

Do you know if there is any "end_session_endpoint" for Google's OAuth?
I haven't found it in their openid configuration: https://accounts.google.com/.well-known/openid-configuration and anywhere else so far.

I know it is possible to sign out a user completely using "Google Sign-In for iOS" library: https://goo.gl/XVQvdv
I just wonder if we can use any workaround to get the same effect using AppAuth library.

Thanks,
Greg.

is there any news? thanks in advance

[kishore94]

Hi we are using Keycloak in our app , Authentication is happening properly when we try second time it is not showing login page in safari instead it is taking a last user data without typing and providing a result , any idea how to clear a session

[tiwari1amrit]

Hi everyone,
I am successfully able to logout but the issue is that I didn't get response from
OIDAuthorizationService.present(request, externalUserAgent: agent!) {response, error in
This method didn't trigger when completed. Can't able to track after completion.

Here is my complete code.
`

        let authEndpoint = URL(string: Urls.Hydra.authEndpoint())!
        let tokenEndpoint = URL(string: Urls.Hydra.tokenEndpoint())!
        let redirectURL = URL(string: Urls.Hydra.redirectCallbackURL())!
        
        let logoutEndpointString = Urls.Hydra.logout() + "/?redirect_uri=" + Urls.Hydra.redirectCallbackURL()
        
        let logoutEndpoint = URL(string: logoutEndpointString)!
        
        let configuration = OIDServiceConfiguration(authorizationEndpoint: authEndpoint,
                                                    tokenEndpoint: tokenEndpoint,
                                                    issuer: nil,
                                                    registrationEndpoint: logoutEndpoint,
                                                    endSessionEndpoint: logoutEndpoint)
        
        guard let idToken = hydraAuthStateModel.idToken else {
            return
        }
        
        let request = OIDEndSessionRequest(configuration: configuration,
                                           idTokenHint: idToken,
                                           postLogoutRedirectURL: redirectURL,
                                           state: hydraAuthStateModel.state!,
                                           additionalParameters: nil)
        
        let agent = OIDExternalUserAgentIOS(presenting: viewController)
        
        OIDAuthorizationService.present(request,
                                        externalUserAgent: agent!) {response, error in
            
            if let error = error {
                print("Authorization error: \(error.localizedDescription)")
                return
            }

            guard let response = response else {
                print("Authorization response is nil.")
                return
            }

            print("Authorization response: \(response)")

            success?()
        }

`

Can anyone have better solution?

[starssoftit]

@tiwariammit try to create
var currentLogoutFlow: OIDExternalUserAgentSession? in the AppDelegate on maybe Singleton

And call smth like this:
guard let appDelegate = UIApplication.shared.delegate as? AppDelegate else { return } appDelegate.currentLogoutFlow = OIDAuthorizationService.present(request, externalUserAgent: agent) { response, error in if response != nil { completion(nil) } else { completion(error?.localizedDescription ?? "Error to logout from Salto") } }

[tiwari1amrit]

@starssoftit I solved my problem.
it's actually I got reference issue.

[tarasChernysh]

hello,
can we logout user without presenting new controller?
Something like this: tap on button and logout without any redirection.