aws-amplify
[FeatureRequest] Allow user to select which Google/Facebook Account to sign in when using `AWSCognitoAuth`
Describe the bug If you login with google and then logout, the user will remain logged in in the SafariVC and he will not be able to login with a different google account, the app must be deleted from the device. This might be related to the way SafariVC works, after iOS 11 it will not share the cookies between the iOS Safari App and the SafariVC from any app.
To Reproduce Steps to reproduce the behavior:
- Login with google
- Logout
- Login again with a different google account
- This can't happen because the opened SafariVC will redirect the user to accounts.google.com and from there to the redirectURI.
Which AWS service(s) are affected? AWSCognitoAuth
Expected behavior After signout the user should have the option to see the accounts.google.com and add a new account or select an existing one.
Environment(please complete the following information):
- SDK Version: 2.7.3
- Dependency Manager: Cocoapods
- Swift Version : any
**Device Information: any
Hello @lucianboboc
Sorry that you are having issues using the SDK. Currently, this feature is not supported by the service. I will take this as a feature request to the team and loop back once we have an update.
Thanks, Rohan
I've tried after logout to delete the cookies from HTTPCookieStorage but the only cookie found was with the domain value of the url used by CognitoAuthWebDomain.There are no google specific cookies.
Ditto for Facebook! I have not released the features of my app that use AWSCognitoAuth but I'm already dreading that I have tell my users that the only way to switch to a different Facebook user is to open to the iOS Settings app, visit the Safari settings, and Clear History and Website Data. Or the user can delete and reinstall my app. Yuck! That just all seems ridiculous to me. Can't you do something like implement the functionality using a WKWebView (in a UIViewController) and give us an option to clear cookies before signing in? I attempted to look into that myself. What I ran into was that WKWebView wouldn't redirect to a custom scheme implemented in my app. SFSafariViewController supports that but WKWebView does not (IMHO).
Or do the Google, Facebook, etc. URLs to which you redirect offer a parameter to clear cached sign-in information and could you bring that parameter out to us?
Signing in once and never being able to sign in as another user seems like a severe restriction to me.
I've open a bug report for Apple too, maybe they will agree to add a clearCookies call to SafariViewController to be used from an app. That way AWSCognitoAuth can just call clearCookies when the user will sign out from cognito.
I believe this is the same issue I am seeing. Instead of using AWSCognitoAuth I am using AWSMobileClient.default().signOut(options: SignOutOptions(signOutGlobally: false, invalidateTokens: true)). But, if you trace the code path that AWSMobileClient's signOut takes it ends up using AWSCognitoAuth's signOut. My expectation is that by setting invalidateTokens to true the user should be presented with a login challenge (including select their Google account) on the next sign in. Setting invalidateTokens to true was the fix for our Android app, but not iOS. I have also tried setting signOutGlobally to true but that has no effect.
Maybe I am overreacting, but this feels like a security issue. If I sign out, someone who has my unlocked phone should not be able to open my app and tap one of the social sign-in buttons and just be allowed in.
You can now open the webUI with private session which will not store the cookie details. https://docs.amplify.aws/lib/auth/signin_web_ui/q/platform/ios/#launch-web-ui-sign-in , so that next time you signIn you will not be automatically authenticated.
