@yevgenii.shein you should be able to force a fresh login with the way you are using withParameters and specifying the key prompt and value login, can you try prompt=login? You could alternatively try implementing the logout logic using the Credentials Manager.
I am already using prompt=login. I also tried to use CredentialsManager.clearCredentials. It gives me no result.
This problem appeared more than 2 weeks ago on live build in store.
I also tried to create a sample with only login and live credentials of app and got same result - user was logged in after fresh install.
Hi @yevgenii.shein, did you find any solution?
I’m currently integrating auth0 android with our app and cannot find a way to log user out in a way that would force login page to be displayed upon next log-in.
Seems like SecureCredentialsManager deletes local token copy but next log-in attempt succeeds without prompting the user to enter credentials.
Even token revoking via the dashboard doesn’t help.
Seems like SecureCredentialsManager deletes local token copy but next log-in attempt succeeds without prompting the user to enter the credentials.
Even token revoking via the dashboard doesn’t help.
We do However you need to take into account that we have limited bandwidth and we’re not able to provide real-time support to all questions posted and sometimes solving require internal discussions. Will do my best to get back as soon as possible!
Don’t have Android knowledge that’s why I want to be sure until I provide the solution!
Thank you Konrad. Just to let you and the community know, my company is also interested in this topic: how to log out a user via an Android native application. Now that “Seamless SSO” is enabled by default in all new Auth0 tenants (and if someone with an older tenant enables this setting), simply removing locally store/managed JWTs for any app (web, iOS, Android) obviously will not ‘log out’ the user.
Also, requiring the app to provide “prompt=login” as a query param in a call to the /authorize endpoint is not a good solution (i.e. to ‘force’ Auth0 to present the login page), because that obviates the ability to join an existing SSO session if that is the desired outcome.
Thanks for all the feedback Folks! I just reached out to the person responsible for that quickstart @olle to see what they have too share on that front. I’ll get back to you once I got back any info!
Thanks @konrad.sopala.
Another 5 cents: this sample is supposed to receive a refresh token based on requested scopes ( “openid offline_access”) however the response contains id and access tokens only.
Our product is supposed to run as a background service and has to be able to request access token without user interaction.
So to summarize:
Current SDK implementation acts as it uses refresh token while no refresh token is delivered to the app.
Impossible to log user out as the SDK seems to discard the access token but it’s still able to retrieve it later without user interaction.
For the logout issue, you may follow up the status in this Github issue. SDK currently doesn’t make a request to the logout endpoint. Logout endpoint helps to clear the user’s session with Auth0. prompt=login can help to show the login widget but it isn’t a true logout so should be used with caution.
Thank you @Saltuk, I understand that logout url should be invoked through the browser that was used to log in (and not through an in-app http client that is used for api invocations) thus auth0 server will get a chance to remove the cookie and will optionally redirect to the provided url (returnTo param). Correct?