uphold-sdk-ios icon indicating copy to clipboard operation
uphold-sdk-ios copied to clipboard

Published 20 hours ago verified publisher icon uphold

"Invalidate Session" is not working properly

Open podkovyrin opened this issue 6 years ago • 1 comments

After making a call to the UpholdClient.invalidateSession() method a user stays logged in the Safari Controller and when he tries to log in again he will be automatically logged in without any interaction or confirmation, and there is no chance to authenticate a different account.

To solve this issue I should be able to open a logout page in the Safari Controller (because there is no way to clean cookies programmatically in SFSafariViewController as it runs in a separate process and shares cookies with Safari.app). But I can't find any endpoint or public API to force a user to log out (something like https://uphold.com/logout).

In Uphold SDK for JavaScript, there is "POST oauth2/revoke" endpoint (https://github.com/uphold/uphold-sdk-javascript/blob/master/docs/oauthclient.md#buildrevoketokenrequest) but it's not possible to make a POST-requests via SFSafariViewController.

podkovyrin avatar Jan 10 '19 10:01 podkovyrin

Hi @podkovyrin,

From the point of view of your app, calling UpholdClient.invalidateSession() will invalidate the session in the context of the app itself. It would not be desired that users would become logged out from uphold.com on Safari.

The reason, as you may imagine, is that the user may have other apps installed that rely on Uphold's authentication. As an example, consider the following: when you logout from Instagram (inside their app), it doesn't log you out from Facebook (either on Safari or on the Facebook app).

when he tries to log in again he will be automatically logged in without any interaction or confirmation, and there is no chance to authenticate a different account.

The automatic redirect is a feature that is employed by many of our partners. The intent is to reduce friction for users that have already authorized the app and is in line with most implementations of OAuth (Google, Facebook, etc.).

It may be possible to add a new query string parameter to the authorize url, such as: https://sandbox.uphold.com/authorize/0ec0942f9be9cc264a85a07fc97b583b50d6ba59?scope=cards:read&autoRedirect=false. (note the autoRedirect)

This would have the effect of displaying a page to the user to allow him to signout or confirm the authorization.

Is this something you'd be interested in?

nunofgs avatar Jan 16 '19 17:01 nunofgs