Implement OIDC RP-Initiated Logout

[WilliamDenniss]

http://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Implements #132. Fixes #258.

[codecov-io]

Codecov Report

Merging #259 into master will decrease coverage by 1.67%.
The diff coverage is 44.66%.

@@            Coverage Diff             @@
##           master     #259      +/-   ##
==========================================
- Coverage   73.93%   72.25%   -1.68%     
==========================================
  Files          58       63       +5     
  Lines        5102     5374     +272     
==========================================
+ Hits         3772     3883     +111     
- Misses       1330     1491     +161

Impacted Files	Coverage Δ
Source/OIDAuthorizationService.h	0% <ø> (ø)	⬆️
Source/OIDEndSessionResponse.m	0% <0%> (ø)
Source/OIDEndSessionResponse.h	0% <0%> (ø)
Source/OIDEndSessionRequest.h	100% <100%> (ø)
Source/OIDServiceConfiguration.h	100% <100%> (ø)	⬆️
Source/OIDServiceDiscovery.m	93.5% <100%> (-0.13%)	⬇️
UnitTests/OIDEndSessionRequestTests.m	100% <100%> (ø)
UnitTests/OIDServiceDiscoveryTests.m	84.61% <100%> (-0.34%)	⬇️
Source/OIDAuthorizationService.m	53.86% <12.08%> (-8.7%)	⬇️
Source/OIDServiceConfiguration.m	72.89% <50%> (-5.52%)	⬇️
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 28fc6c6...ea5ad45. Read the comment docs.

[StevenEWright]

LGTM! Awesome!

[julienbodet]

Typo matchesRedirectionURL

[julienbodet]

[redirectionURL standardizedURL]

[julienbodet]

Typo redirectionURL

[julienbodet]

I know this is not directly related to this PR, but I wonder if this error type should be renamed to something like OIDErrorCodeBrowserOpenError or OIDErrorCodeExternalUserAgentOpenError since AppAuth now supports other browsers? The description is also mentioning Safari.

[Amnell]

I've been looking for a nice way to handle logout and this PR looks great. I've tested it in my project and it works great, except that the completion is not called. I've had a look at the code and it looks like shouldHandleURL: returns false as it compares the callbackURL from SFAuthenticationSession with _request.endSessionRequestURL. My callbackURL from SFAuthenticationSession is my custom url scheme for my app.

I'm not fluent in the openid spec, but is this really expected behaviour?

@WilliamDenniss @julienbodet

[dilee]

Hi @Amnell
Do you have any sample code where you've used this improvement? I couldn't find a way to persist the session to avoid clearing session cookies when the app is closed and cleared from memory.

@WilliamDenniss @julienbodet

[danipralea]

Hello @WilliamDenniss @julienbodet I am having the same issues as @dilee . I am unable to remove the cookies so that at the next login the login is a fresh one. It automatically logs in with the previous user instead.

@Amnell would you be kind enough to share what you have working? Thanks.

[omgitstom]

Hey @WilliamDenniss - curious if you had any status/timeline for this. Okta is getting a few requests a week for this functionality in https://github.com/okta/okta-sdk-appauth-ios

We are trying to figure out if we can rely on this functionality in this library or if we need to circumvent and built it ourselves.

Thanks for any updates!

[WilliamDenniss]

Hey @omgitstom, do you mean the timeline of when it gets merged into master?

The main thing I was waiting for was confirmation that it actually works as I don't have a test server with an end-session endpoint myself. Looks like there's at least one bug which should be fixed by #285, but other than that it might be ready.

Have you tried out this branch with Okta's end session endpoint? Does it work? Is there a public test instance I can try?

I would encourage everyone who has tried this code against their own end session endpoints to post their results. If the code is demonstrated to work in an interoperable way, I'll get it merged.

[mattio]

I've been using this in our Identity Server internal test environment along with @AndrewMcDrew's tweak in #285, my tweak in #312, and iOS 12 support from that branch added manually. So far it's been working as expected for me.

[WilliamDenniss]

@mattio, thanks for reporting back your results! I don't have any need for Logout myself, so I'm relying on y'all to test & validate the implementation here.

Based on your comments, I merged those 2 PRs. I also rebased our dev branch onto master, for iOS 12 / Xcode 10 support. The old work pre-rebase is here if anyone needs macOS 32-bit support for some reason (NB, that tag is not supported at all, you'd be own your own there).

Can everyone checkout the latest dev-logout branch, give it a try, and report back? You'll need to git rest --hard origin/dev-logout due to the rebase (which will also blast away any local changes, be warned).

Once a few people independently confirm that this actually works for them, we can look at getting it merged.

[WilliamDenniss]

@julienbodet rebased onto latest master (#393)

[WilliamDenniss]

@yurikoles

There is another issue, on newer iPads there is an alert/dialog before opening browser window on logout, that disappears immediately with no chance to accept it.

Do you have a strong reference to the session object? I think this happens if the object gets deallocated.

Please file a bug if you have a test case that can be repro'd

[WilliamDenniss]

@blork

This is looking good, just implemented it and it's working great. However, I have my users signing in using the embedded browser (SFAuthenticationSession/ASWebAuthenticationSession), so kicking them out to "real" Safari to logout is a bit jarring. Is there a way a method for showing SFSafariViewController for this could be added (or can someone give me a hint on how to implement this myself)?

I'm not quite following, Logout should use the same user-agent as login, should it not? At least, that is the intention.

[WilliamDenniss]

@yurikoles

@WilliamDenniss logout doesn't work in Swift:

When I try to call: OIDAuthorizationService.present(endSessionRequest, externalUserAgent: OIDExternalUserAgentIOS, callback: { (response, error)} )

Auth.swift:322:13: error: ambiguous reference to member 'present(_:externalUserAgent:callback:)'
            OIDAuthorizationService.present(endSessionRequest, externalUserAgent: OIDExternalUserAgentIOS, callback: { (response, error) in
            ^~~~~~~~~~~~~~~~~~~~~~~
AppAuth.OIDAuthorizationService:12:21: note: found this candidate
    open class func present(_ request: OIDAuthorizationRequest, externalUserAgent: OIDExternalUserAgent, callback: @escaping OIDAuthorizationCallback) -> OIDExternalUserAgentSession
                    ^
AppAuth.OIDAuthorizationService:15:21: note: found this candidate
    open class func present(_ request: OIDEndSessionRequest, externalUserAgent: OIDExternalUserAgent, callback: @escaping OIDEndSessionCallback) -> OIDExternalUserAgentSession

Can you file a separate issue for this one? It's getting too unwieldy to track so many issues in one thread.

When you do, can you share the code snippit as well?

[yurikoles]

Swift ambiguity is still there. Even login is broken in Swift on this branch.

error: ambiguous reference to member 'authState(byPresenting:externalUserAgent:callback:)'
            OIDAuthState.authState(byPresenting: request,
            ^~~~~~~~~~~~
AppAuth.OIDAuthState:12:21: note: found this candidate
    open class func authState(byPresenting authorizationRequest: OIDAuthorizationRequest, externalUserAgent: OIDExternalUserAgent, callback: @escaping OIDAuthStateAuthorizationCallback) -> OIDExternalUserAgentSession
                    ^
AppAuth.OIDAuthState:2:21: note: found this candidate
    open class func authState(byPresenting authorizationRequest: OIDAuthorizationRequest, presenting presentingViewController: UIViewController, callback: @escaping OIDAuthStateAuthorizationCallback) -> OIDExternalUserAgentSession

[WilliamDenniss]

Can you file a dedicated issue for this, and provide the sample code that generates the error?

[yurikoles]

@WilliamDenniss tried to create a use-case for issue, but I can't reproduce this in new project or official example. Seems to be very rare issue which my project.

[WilliamDenniss]

Thanks for confirming. I was surprised by this error, as I would expect Swift to infer the type and therefore not have any ambiguity. Maybe you could explicitly declare the variable with the type?

[WilliamDenniss]

Well, I'm happy that enough people have tried this without problems.

Merging soon. #YOLO

[pgorzelany-objectivity]

@WilliamDenniss any chance this will be merged and released soon?

[WilliamDenniss]

Merged.

The dev-logout branch will be deleted, please update your Podfiles if you were using that branch.

[wilmarvh]

@WilliamDenniss Any timing on an officially tagged release with logout functionality included?

[ivanhjel]

☝️ Is this available now?