I am using the react-native-auth0 SDK in an react-native app to login users through the webAuth.authorize hosted page. I do not see a corresponding logout function in the react-native SDK. There is a logout function for the webAuth library in auth0.js for web based clients. How does a react-native user logout in this setup?
Currently, even though I can logout the user out of the app by destroying local state, the user remain logged in at the social provider and so is not prompted for credentials when they try to log in again.
I did a fetch call to /logout?federated and got a 200 OK response but the user is still logged in at the social provider (no prompt for credentials next time they try to login).
Update:
I tried the Linking.openURL to call the /logout endpoint. The system browser is called as expected (same as during login) but the the user is not being logged out. Trying to sign in again, does not prompt the user for username/password, indicating that user is still logged in. The URL I am calling is:
https://mydomain.auth0.com/v2/logout?federated&client_id=
I also opening the logout URL the same way webAuth.authorize calls it using the A0Auth native module. Still no luck, user is not logged out of social identity provider (Google in my case).
Interestingly, when I look at Logs in Auth0 Dashboard I see several “Success Logout” messages as expected, but still user is able to login without prompt.
When using the method you describe the user should be performing the authentication through the system browser (which is the recommended approach for security reasons). The consequence is that if the identity provider establishes a session and you really need to terminate that session then the federated logout also needs to be performed through the system browser (since that’s where the session was established).
At this time the SDK in question does not have an utility method that could be used to clear the session at the identity provider, however, I can inform you that this has been discussed and should be included. However, I cannot provide you with a definitive timeline for its availability.
Meanwhile, if you are already building the URL to the logout endpoint you may want to try to use Linking.openURL to open that URL (according to the documentation this may allow you to open the URL through the system browser).
Update
Also have in mind that if the authentication involves an external authentication provider, like Google or Facebook is up to that provider to decide if it honors the logout request coming from a third-party. Some providers may want that logout is only done by end-users going through their own systems.
A possible way to confirm if it’s provider related is to do the testing with a database connection user that authenticated through the hosted login page (and system browser). If after logout you try to login again and you see a Last time you… option then the logout did not execute as it should, if it shows the username/password inputs then the logout correctly cleared the session.
@jmangelo thank you for your reply. You are right in that the system browser is being used to login. Since the SDK is able to invoke to system browser for login (through the hosted page), for completeness it seems reasonable to allow and log out through a similar mechanism. I will look out for the federated logout functionality and hope it can available soon.
Meanwhile, I will try the Linking.openURL method to force a logout. Thanks again for your reply.
@jmangelo thank you for your reply. You are right in that the system browser is being used to login. Since the SDK is able to invoke to system browser for login (through the hosted page), for completeness it seems reasonable to allow and log out through a similar mechanism. I will look out for the federated logout functionality and hope it can available soon.
Meanwhile, I will try the Linking.openURL method to force a logout. Thanks again for your reply.
Updated my answer in light of your recent update.
Thanks for the the update. That might be what is happening. BTW, in the second paragraph of your update did you mean “social connection” instead of database connection?
I meant database connection because for those the identity provider (the one who validates the actual credentials) is Auth0 so for that case if the logout is being triggered in the same browser session as the login you will for sure get logged out. You can also try with other social providers, but that test will be less reliable as it will always depend if the provider in question honors the logout request or just ignores it.
Ah … ok so if the database connection (Auth0) logs out correctly through the hosted page, same browser session, then the issue is social provider related (not accepting third-part logout)?