🐛 [firebase_auth]Single Sign-Out Issue with FirebaseAuth and SAML IdP

Open motucraft opened this issue 1 year ago • 8 comments

Bug report

Describe the bug FirebaseAuth in Flutter allows for SAML authentication, but there seems to be no clear way to handle Single Sign-Out. When I execute FirebaseAuth.instance.signOut(), it only signs the user out of Firebase, leaving the session in the Identity Provider (IdP) still active.

Steps to reproduce

Steps to reproduce the behavior:

  1. Authenticate using FirebaseAuth with SAML as IdP
  2. Execute FirebaseAuth.instance.signOut()
  3. Attempt to re-authenticate. The user will be re-authenticated without being asked for credentials due to the active session in the IdP.

Expected behavior

I would expect a way to sign out from both Firebase and the Identity Provider to achieve a complete Single Sign-Out.

Sample project

import 'package:firebase_auth/firebase_auth.dart';
import 'package:firebase_core/firebase_core.dart';
import 'package:flutter/material.dart';
import 'package:hooks_riverpod/hooks_riverpod.dart';
import 'package:riverpod_annotation/riverpod_annotation.dart';
import 'package:simple_logger/simple_logger.dart';

import 'firebase_options.dart';

part 'main.g.dart';

late final FirebaseApp firebaseApp;

void main() async {
  firebaseApp = await Firebase.initializeApp(
    options: DefaultFirebaseOptions.currentPlatform,
  await FirebaseAuth.instance.userChanges().first;

  runApp(const ProviderScope(child: MyApp()));

class MyApp extends StatelessWidget {
  const MyApp({super.key});

  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Firebase SAML Demo',
      theme: ThemeData(
        colorScheme: ColorScheme.fromSeed(seedColor: Colors.deepPurple),
        useMaterial3: true,
      home: const SAMLSample(),

class SAMLSample extends ConsumerWidget {
  const SAMLSample({super.key});

  Widget build(BuildContext context, WidgetRef ref) {
    final authController = ref.watch(authControllerProvider);
    return authController.when(
      data: (data) {
        return Scaffold(
          body: SafeArea(
            child: Center(
              child: Column(
                mainAxisAlignment: MainAxisAlignment.center,
                children: [
                  if (data == null)
                      onPressed: () async => await ref
                      child: const Text('SAML Sign In'),
                  if (data != null) ...[
                    const Text('Firebase SAML Sign-in SUCCESS!!!',
                        style: TextStyle(fontSize: 18)),
                    const SizedBox(height: 8),
                    SelectableText('Email: ${data.email!}',
                        style: const TextStyle(fontSize: 18)),
                    const SizedBox(height: 8),
                    SelectableText('Uid: ${data.uid}',
                        style: const TextStyle(fontSize: 18)),
                    const SizedBox(height: 24),
                      onPressed: () async => await ref
                      child: const Text('Sign Out'),
      error: (error, stack) {
        return Scaffold(
          body: Text(
            style: const TextStyle(color: Colors.red),
      loading: () => const Scaffold(
        body: Center(child: CircularProgressIndicator()),

SAMLAuthProvider samlAuth(SamlAuthRef ref) {
  return SAMLAuthProvider('saml.saml-provider');

class AuthController extends _$AuthController {
  final _auth = FirebaseAuth.instance;

  FutureOr<User?> build() async {
    _auth.userChanges().listen((user) {
      state = AsyncValue.data(user);

    return state.value;

  Future<void> samlSignIn() async {
    state = const AsyncLoading<User?>().copyWithPrevious(state);
    state = await AsyncValue.guard(() async {
      final userCredential = await FirebaseAuth.instanceFor(app: firebaseApp)
      return userCredential.user;

  Future<void> samlSignOut() async {
    state = const AsyncLoading<User?>().copyWithPrevious(state);
    state = await AsyncValue.guard(() async {
      await FirebaseAuth.instance.signOut();
      return null;

final logger = SimpleLogger()
    includeCallerInfo: true,
name: firebase_saml
description: A new Flutter project.
publish_to: 'none'
version: 1.0.0+1

  sdk: '>=3.0.6 <4.0.0'

    sdk: flutter

  cupertino_icons: ^1.0.5
  firebase_core: ^2.15.0
  firebase_auth: ^4.7.0
  hooks_riverpod: ^2.3.6
  flutter_hooks: ^0.18.6
  simple_logger: ^1.9.0+2
  riverpod_annotation: ^2.1.1

    sdk: flutter

  flutter_lints: ^2.0.2
  riverpod_generator: ^2.2.3
  build_runner: ^2.4.6
  custom_lint: ^0.4.0
  riverpod_lint: ^1.3.2

  uses-material-design: true

Additional context

I am trying to achieve a Single Sign-Out solution that allows the user to be completely signed out from both Firebase and the SAML Identity Provider. This seems to be essential for a proper Single Sign-Out implementation. Please advise on how this can be achieved or consider it as a feature request for firebase_auth package.

Flutter doctor

Run flutter doctor and paste the output below:

% flutter doctor
Doctor summary (to see all details, run flutter doctor -v):
[✓] Flutter (Channel stable, 3.10.6, on macOS 13.4.1 22F770820d darwin-arm64, locale ja-JP)
[✓] Android toolchain - develop for Android devices (Android SDK version 33.0.2)
[✓] Xcode - develop for iOS and macOS (Xcode 14.3.1)
[✓] Chrome - develop for the web
[✓] Android Studio (version 2022.2)
[✓] Android Studio (version 2022.2)
[✓] IntelliJ IDEA Ultimate Edition (version 2023.1.4)
[✓] IntelliJ IDEA Ultimate Edition (version 2023.1.3)
[✓] IntelliJ IDEA Ultimate Edition (version 2023.1.4)
[✓] VS Code (version 1.80.0)
[✓] Connected device (3 available)
[✓] Network resources

• No issues found!

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

% flutter pub deps -- --style=compact
Dart SDK 3.0.6
Flutter SDK 3.10.6
firebase_saml 1.0.0+1

- cupertino_icons 1.0.5
- firebase_auth 4.7.0 [firebase_auth_platform_interface firebase_auth_web firebase_core firebase_core_platform_interface flutter meta]
- firebase_core 2.15.0 [firebase_core_platform_interface firebase_core_web flutter meta]
- flutter 0.0.0 [characters collection js material_color_utilities meta vector_math sky_engine]
- flutter_hooks 0.18.6 [flutter]
- hooks_riverpod 2.3.6 [collection flutter flutter_hooks flutter_riverpod riverpod state_notifier]
- riverpod_annotation 2.1.1 [meta riverpod]
- simple_logger 1.9.0+2 [logging stack_trace]

motucraft avatar Jul 17 '23 02:07 motucraft

@motucraft It looks it may not be supported, but I am not completely sure, but check below and see if they help or not.



darshankawar avatar Jul 17 '23 12:07 darshankawar

I also suspect that the Identity Platform itself may not support this in the first place. However, isn't the inability to invalidate a session through sign-out a critical issue?

Is there anything we as users can do about this?

motucraft avatar Jul 17 '23 12:07 motucraft

@motucraft Since flutterfire plugins are thin wrappers around native Firebase sdks, you might want to check if the native firebase sdks supports it or not. If not, I guess the implementation would probably need to come from them so that flutterfire plugins can leverage it.

darshankawar avatar Jul 18 '23 10:07 darshankawar

Hey @motucraft. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 7 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot avatar Jul 27 '23 01:07 google-oss-bot

Thank you for your suggestion. Since I am working with Flutter Web, I suppose the JavaScript Firebase SDK is relevant to my issue. Should I direct my inquiry towards the maintainers of the JavaScript Firebase SDK? Your guidance is appreciated.

motucraft avatar Jul 30 '23 06:07 motucraft

Sorry for late reply @motucraft . I looked into the SAML implementation for the firebase_auth plugin and the support was added as part of https://github.com/firebase/flutterfire/pull/10075. Coming to your original issue that there's no clear way to handle Single Sign-Out, I think it is better to keep this issue open here and I'll label it for team's input on expected behavior and if there's any fix needed.

darshankawar avatar Aug 01 '23 10:08 darshankawar

/cc @Lyokone for thoughts.

darshankawar avatar Aug 01 '23 10:08 darshankawar

Almost half a year has passed.

motucraft avatar Feb 04 '24 06:02 motucraft