AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard

Published 20 hours ago verified publisher icon openid

Is there any way we can clear the saved session cookies in chrome by AppAuth library?

Open JasonRyder opened this issue 3 years ago • 3 comments

Configuration

  • Version: '0.7.1'
  • Integration: Native Java
  • Identity provider: .

Description

For a user, I am facing an issue using the SSO login in the app if a user logs in for the first time and even after logout the user auto logged in again and again as the cookies are present and stored in chrome while logging in. Is there any way in AppAuth where I can specify if chrome is being opened do not autologin using the cookies or simply clear cookies either while logging in or at the time of log out from the chrome as this is an issue for our user that is not even solved by reinstalling as the cookies are stored in the chrome?

JasonRyder avatar Feb 01 '22 14:02 JasonRyder

Both scenarios are possible.

  • to properly logout out of an SSO service implement end session - easiest way to tell if your IDP supports it is to look for end_session_endpoint in your discovery document (.well-known/openid-configuration)
  • alternatively you can ask the user to always login by setting prompt to login authRequestBuilder.setPrompt(AuthorizationRequest.Prompt.LOGIN) (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1)

agologan avatar Feb 01 '22 14:02 agologan

Both scenarios are possible.

  • to properly logout out of an SSO service implement end session - easiest way to tell if your IDP supports it is to look for end_session_endpoint in your discovery document (.well-known/openid-configuration)
  • alternatively you can ask the user to always login by setting prompt to login authRequestBuilder.setPrompt(AuthorizationRequest.Prompt.LOGIN) (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1)

@agologan The fact that our app works in Offline mode and it is not guaranteed that the user will have an internet connection is stopping us from using any API or end sessions for the log-out process. Also, I have checked by applying authRequestBuilder.setPrompt(AuthorizationRequest.Prompt.LOGIN) but it is still not working for SSO logged-in users it is auto logging in without waiting for credentials.

JasonRyder avatar Feb 02 '22 05:02 JasonRyder

Figuring out how your app should behave in offline is not something in scope for this library. prompt: login works only if your identity provider has implemented support for it.

agologan avatar Feb 07 '22 13:02 agologan