Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent logout react native? #994

Open
Ivan-Stashak-CardinalPeak opened this issue Jun 21, 2024 · 3 comments
Open

Silent logout react native? #994

Ivan-Stashak-CardinalPeak opened this issue Jun 21, 2024 · 3 comments

Comments

@Ivan-Stashak-CardinalPeak
Copy link

Issue

I'm using Microsoft Azure ActiveDirectory for my mobile app and am attempting to achieve silent (promptless) logout. I've setup
a login_hint for my id token, but I'm unable to achieve a logout UX that prevents the popping of 2 dialogs - one for the user to acknowledge that the app wishes to use microsoftonline.com to Sign In and the second to choose the user to sign out.

Is promptless logout something that has been achieved with this library in react native?

In addition, the logout() method seems to log the user out as the Azure pop-up displays the message:

You're signed out here, but you may need to manually sign out from other apps.

From here the pop-up dialog doesn't automatically dismiss, and I'm required to hit the 'Cancel' button in the top left
corner in order to dismiss the dialog. This results in the logout() method returning the following error:

The operation couldn’t be completed. (org.openid.appauth.general error -3.)

I suspect that this may be due to my postLogoutRedirectUrl, which is:

'com.foo.mobile.unauth://oauth/'

Is this supposed to be an https url? I used this form due to the need to use a similar redirect for login:

'com.foo.mobile.auth://oauth/'

Note, I have no issues with login. Everything returns successfully and the Azure dialog presents with a continue button for dismissing itself after successful auth.

Environment

  • Azure Active
  • Platform that you're experiencing the issue on: iOS
  • Your react-native Version: 0.71.4
  • Your react-native-app-auth Version: 7.2.0
  • Are you using Expo?: NO
@maddeha
Copy link

maddeha commented Jul 17, 2024

Did you achieve the promptless logout ?

@juanchoperezj
Copy link

+1

@carbonrobot
Copy link
Contributor

tldr; Silent logout is not part of the OAuth2.0 specification, so is not explicitly supported.

It's important to remember that OAUTH2 is a redirect flow based authorization framework. As such, it needs to redirect your browser to a URL that has access to the cookies that are stored under your IDPs domain in local storage. For security, browsers do not allow cross domain access to local storage.

The OAUTH2 specification extension RFC 7009 allows for a "revoke" endpoint.

2. Token Revocation
Implementations MUST support the revocation of refresh tokens and
SHOULD support the revocation of access tokens (see Implementation
Note).

Which can revoke the refresh token at the IDP, but they are not required to support revocation of access tokens.

You can see the docs on how to revoke refresh tokens with this library here: https://commerce.nearform.com/open-source/react-native-app-auth/docs/usage/revoke

It may be possible to support silent logout if

  • Your IDP supports it and provides an API (typically a REST endpoint)
  • You write the custom code to use that endpoint

@carbonrobot carbonrobot mentioned this issue Sep 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carbonrobot @juanchoperezj @Ivan-Stashak-CardinalPeak @maddeha