Can't log out in android

I am trying to logout - it automatically login me to the app, when I start login.

Auth0 auth0 = new Auth0(AppConfig.auth0clientId, AppConfig.auth0domain);
auth0 = Utils.getAuth0();
WebAuthProvider.init(auth0)
.withParameters(parameters)
.withScheme(getString(R.string.scheme))
.withScope(Config.Auth0.scopeValue)
.start(this, callback);

Parameters contains “prompt”: “login”

Used just email/password auth.
SDK version ‘com.auth0.android:auth0:1.12.0’
Android 7.0, 7.1, 8.0

1 Like

:wave: @yevgenii.shein you should be able to force a fresh login with the way you are using withParameters and specifying the key prompt and value login, can you try prompt=login? You could alternatively try implementing the logout logic using the Credentials Manager.

I am already using prompt=login. I also tried to use CredentialsManager.clearCredentials. It gives me no result.
This problem appeared more than 2 weeks ago on live build in store.
I also tried to create a sample with only login and live credentials of app and got same result - user was logged in after fresh install.

Hi @yevgenii.shein, did you find any solution?
I’m currently integrating auth0 android with our app and cannot find a way to log user out in a way that would force login page to be displayed upon next log-in.

Hey there @olle!

I’m not an Android guy but let me research the field and get back to you once I have any updates!

Thank you @konrad.sopala.
Actually this happens with the demo app from here:

Seems like SecureCredentialsManager deletes local token copy but next log-in attempt succeeds without prompting the user to enter credentials.
Even token revoking via the dashboard doesn’t help.

1 Like

Gotchya! Let me see what I can find!

Friends,

I’m playing with Android Demo App for session management and cannot find a way to sign user out.

Seems like SecureCredentialsManager deletes local token copy but next log-in attempt succeeds without prompting the user to enter the credentials.
Even token revoking via the dashboard doesn’t help.

Here is screen capture: http://mobbie.net/temp/device-2019-03-25-133635.mp4

Any idea?
Please advise!

1 Like

Hey @olle!

I merged your thread with this one so as not to duplicate content and let people find the final answer once we establish it, more easily.

Thank you!

Great! Do Auth0 people post here as well or the answer might come from the community members only?
This is pretty urgent matter for our project.

We do :slight_smile: However you need to take into account that we have limited bandwidth and we’re not able to provide real-time support to all questions posted and sometimes solving require internal discussions. Will do my best to get back as soon as possible!

Don’t have Android knowledge that’s why I want to be sure until I provide the solution!

Thank you Konrad. Just to let you and the community know, my company is also interested in this topic: how to log out a user via an Android native application. Now that “Seamless SSO” is enabled by default in all new Auth0 tenants (and if someone with an older tenant enables this setting), simply removing locally store/managed JWTs for any app (web, iOS, Android) obviously will not ‘log out’ the user.

Also, requiring the app to provide “prompt=login” as a query param in a call to the /authorize endpoint is not a good solution (i.e. to ‘force’ Auth0 to present the login page), because that obviates the ability to join an existing SSO session if that is the desired outcome.

1 Like

Thanks for all the feedback Folks! I just reached out to the person responsible for that quickstart @olle to see what they have too share on that front. I’ll get back to you once I got back any info!

1 Like

Thanks @konrad.sopala.
Another 5 cents: this sample is supposed to receive a refresh token based on requested scopes ( “openid offline_access”) however the response contains id and access tokens only.

Our product is supposed to run as a background service and has to be able to request access token without user interaction.

So to summarize:

  1. Current SDK implementation acts as it uses refresh token while no refresh token is delivered to the app.
  2. Impossible to log user out as the SDK seems to discard the access token but it’s still able to retrieve it later without user interaction.

For the logout issue, you may follow up the status in this Github issue. SDK currently doesn’t make a request to the logout endpoint. Logout endpoint helps to clear the user’s session with Auth0. prompt=login can help to show the login widget but it isn’t a true logout so should be used with caution.

Thank you @Saltuk, I understand that logout url should be invoked through the browser that was used to log in (and not through an in-app http client that is used for api invocations) thus auth0 server will get a chance to remove the cookie and will optionally redirect to the provided url (returnTo param). Correct?

Hi @olle yes that is correct.