AppAuth-iOS
AppAuth-iOS copied to clipboard
openid
Safari external browser is caching credentials data in recurrent login attempts. Only on iOS 14.5 and above.
When performing recurring OIDC login, the safari external browser is only showing up in a sec and dismisses it immediately. It looks like the safari browser is caching the credentials and it's using them in the recurrent login attempts.
To Reproduce Steps to reproduce the behavior:
- Login with OIDC
- Kill the app
- Try to log in again
- External browser pops up and immediately hides.
Expected behavior External browser should be shown and new credentials should be entered.
- OS: iOS
- Browser safari
- Version 14.5, 14.6
I second this, we've had reported issues on android and iOS, was unable to reproduce on 14.4.2, after updating to iOS 14.5.1 the user is auto logged in, despite not clicking remember me. Unsure as to what changed, but it happens on iOS 14.5+ and android 10+ (unsure about prior android versions).
EDIT: On further investigation, looks like the behaviour of session only cookies was broken in iOS 14, and fixed in iOS 14.5, so now the browsing session cookies are persisted https://developer.apple.com/forums/thread/663533
So is this expected behavior now? We are having similar issue with our app. The use-case is we are trying to log the user out when offline. Our logout flow uses ASWebAuthenticationSession, and even though we are clearing out all data of the previous session in AppAuth manually, the browser still maintains these session cookies because when we log back in using AppAuth, it does not prompt user for credentials.
Like @HaydnDias noted, this flow was working in previous iOS 14 versions, but not 14.5+.
Logging out works fine when we can go through the flow when there is internet, which has AppAuth prompt for user credentials when trying to log back in.
I think this can be fixed by setting prefersEphemeralWebBrowserSession on the ASWebAuthenticationSession to true by adding authenticationVC.prefersEphemeralWebBrowserSession = true in the presentExternalUserAgentRequest function in OIDExternalUserAgentIOS. This should work for iOS 13+.
I just tried the below code and it's worked for me
// perform the auth request... let request = OIDAuthorizationRequest(configuration: configuration, clientId: SharedConstantsKt.APP_CLIENT_ID, clientSecret: nil, scopes: [OIDScopeOpenID, OIDGrantTypeRefreshToken], redirectURL: URL(string: ApiEndPoints.marykayredirecturl.url)!, responseType: OIDResponseTypeCode, additionalParameters: ["prompt" : "login"])
adding this key value in OIDAuthorizationRequest -> additionalParameters: ["prompt" : "login"] solve my issue.
also in logout I did these:
//Remove last authState from userdefault
UserDefaultManager.shared.authState = nil
// Cancel and make currentAuthorizationFlow in the appDelegate file
guard let appDelegate = UIApplication.shared.delegate as? AppDelegate else{
return
}
appDelegate.currentAuthorizationFlow?.cancel()
appDelegate.currentAuthorizationFlow = nil
//Open the Login page
let controller = Login_VC()
controller.modalPresentationStyle = .fullScreen
sender.present(controller, animated: true, completion: nil)
You can also add ["prompt": "select_account consent"] if you do not want to add credentials every time. It will take you to consent screen and prompt you to continue with current logged in account or change the account.
