firebase-ios-sdk icon indicating copy to clipboard operation
firebase-ios-sdk copied to clipboard
verified publisher icon firebase

Firebase auth does not delete Github credentials from cache upon sign out

Open BenderNK opened this issue 2 years ago • 8 comments

Description

Description: Once a user signs on to Firebase Auth with Github credentials and then signs out, there is no way to sign back into another Github account. Firebase Auth appears to be caching the sign-in information of the user and when the user enters the same "Sign in with Github" flow in the future, the user gets automatically signed back into the previous account without being given a chance to provide different credentials.

Actual: User attempts to sign into Firebase Auth using Sign-in-with-Github flow User has to enter their Github username and password and authorize the app that is requesting the credentials User is authenticated User signs out User attempts to sign back into Firebase Auth using Sign-in-with-Github flow User is automatically signed back into previously signed-in account

Expectation: User attempts to sign into Firebase Auth using Sign-in-with-Github flow User has to enter their Github username and password and authorize the app that is requesting the credentials User is authenticated User signs out User attempts to sign back into Firebase Auth using Sign-in-with-Github flow User has to re-enter Github username and password and authorize the app that is requesting the credentials to allow the user to log on to different Github account

Reproducing the issue

  1. Integrate Firebase Auth for a macCatalyst project
  2. Sign in with Github as explained in Docs
  3. Note that in catalyst Firebase Auth uses an internal class named FIRAuthWebViewController to display Github sign in page to the user. However, for iOS clients Firebase Auth uses SFSafariViewController. This difference will be important in step 7.
  4. Once successfully signed in, sign the user out of the as explained in the same integration guide.
  5. Now assume that this user has another github account and wants to sign in with that instead. For example one account for personal or another one for work. Allow the user sign back in to Github using the same flow as before. Signing in to another Github account is impossible at this point because the user gets automatically signed back in to the previous account. There is no opportunity to provide different credentials or go back or cancel.
  6. Expected: When the user signs out of Firebase all the data (cookies, temp data etc...) is purged from both FIRAuthWebViewController and SFSafariViewController so that user can provide different Github credentials upon re-entering the flow.
  7. However, if you test this sign-in-with-Github flow on an iOS device (not macCatalyst) AND erase all Safari data from Settings THEN user is able to provide Github credentials again and not automatically signed back into the previous account. This work around does not work for macCatalyst projects because FIRAuthWebViewController is a web-view.

Firebase SDK Version

10.13

Xcode Version

14.3

Installation Method

Swift Package Manager

Firebase Product(s)

Authentication

Targeted Platforms

iOS, macCatalyst

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet 

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet 

Replace this line with the contents of your Podfile.lock!

BenderNK avatar Aug 25 '23 17:08 BenderNK

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Aug 25 '23 17:08 google-oss-bot

For step 7, does signing out of GitHub in the Safari app reset auth state as you would expect it to? I suspect this is working as intended or unfixable on iOS, since Safari state is untouchable by Firebase. On macOS Catalyst this is probably a bug.

morganchen12 avatar Aug 25 '23 20:08 morganchen12

signing on to Github on Safari app on iOS does not affect what happens in your own app. In other words - even if you sign on to an account on Github on Safari, Firebase auth (SFSafariViewController) still asks for credentials again on your first attempt to sign in with Github within the app.

once you sign on to Github in your app via Firebase auth, signing out of Github in Safari app also doesn't affect the outcome. SFSafariViewController still automatically signs you back into the previously signed in account.

BenderNK avatar Aug 25 '23 21:08 BenderNK

We have the same problem for the login with oidc, using the signInWIthProvider() method.

Is there any known workaround? As I cannot clear any data for the SFSafariViewController. The only way for the user to actually "change" is by deleting the Safari Cache outside of the app.

The only thing I can think of, is using the SFSafariViewController manually, to open a Logout Page from the respective provider. But this a really bad solution imho.

Tautellini avatar May 15 '24 16:05 Tautellini

Uninstalling and reinstalling is another not-great workaround

paulb777 avatar May 16 '24 01:05 paulb777

https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller/datastore

Following iOS16+ you have access to the default DataStore of the Safari ViewController, which makes it possible to delete the Safari Cache used in the View Controller.

For Swift Code its simply used like: SFSafariViewController.DataStore.default.clearWebsiteData()

Tautellini avatar May 16 '24 15:05 Tautellini

I've confirmed that adding SFSafariViewController.DataStore.default.clearWebsiteData() to the signOut implementation enables a new GitHub id to sign in on iOS.

I'm hesitant to add it to the SDK since it may mess with other Safari data in the app or other SDKs.

Screenshot 2024-05-16 at 2 20 59 PM

paulb777 avatar May 16 '24 21:05 paulb777

I also feel like, that this shouldnt be a standard approach of the SDK on logout. This is still not really what Apple wants you to do, as you have no way to clear specific website data, but all.

I think the "right" way to handle this, is to open the Logout Pages of those providers when clicking on logout, so that the session data can be cleared gracefully.

From this SDKs perspective, this is however not generally fixable as you probably just dont know which provider was used, it could be anything. The provider could have any logout page and any redirect page on logout. So Im not sure if this "bug" can be fixed from the SDK perspective at all.

Something I can think of, would be a parameter on the signOut which enforces this behaviour, but is optional. Its not a super clean approach, but the only thing that comes to my mind, if you want to handle this within the SDK.

It doesnt fix this behaviour on older IOS versions tho. (But at least from Iphone 8+, they are pretty old already)

If I understood this correctly, the SDK could also change its approach from using the SFSafariViewController to using ASWebAuthenticationSession which has an option to not share the cookies, which probably results in this issue being fixed: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio (which is also already available on IOS13+)

But I guess this is a much bigger "todo", for no other particular reason.

Tautellini avatar May 17 '24 06:05 Tautellini

No clear follow up actions here, so closing.

paulb777 avatar Aug 02 '24 22:08 paulb777