Log Users Completely Out of Auth0 On Swift

Hi everyone,

I am implementing a WebView application in Swift that needs to use Auth0-Swift for login which is passed to the web application.

The login works okay. Logging in successfully authenticates with Auth0 and also the web application. However, when a user logs out which triggers credentialsManager.clear, the login information seems to still be saved. So the next time the user taps log in, their information is automatically used and they are passed along to the application. We need this to force them to enter their credentials again instead.

It also appears that after logging out, when the user presses log in the first time, it doesn’t successfully redirect? Not sure, probably a dumb error on our part. Pressing login again successfully moves the user onward.

How can we forcibly remove the login credentials when the user actually presses logout so that the next time Auth0 swift tries to authenticate, they are required to type credentials in again?

Hi @BrandonGardner2,

A couple of questions to clarify:

  • Are you using a quickstart?
  • Can you post the exact code you are using to log out?

Thanks,
Dan

Hey Dan,

I believe it was done using quick start.

Here is logout code listening for a WebView message:

extension ViewController: WKScriptMessageHandler {
func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage) {
    if message.name == messageName {
        let _ = credentialsManager.clear()
        LandingViewController.makeRootViewController()
    }
}

and in another location through a settings menu

    @IBAction func onLogoutTapped(_ sender: UIButton) {
    self.credentialManager.clear()
    LandingViewController.makeRootViewController()
}

Are you using SSO with multiple apps?

I don’t know that we are for sure? We have universal login setup and a web auth login using auth0-js for a React app and then the auth0-swift for this webview application. Would you mind expanding a little? If it is something we would have needed to explicitly code, I doubt it.

If it helps, I can tell you that the credentials being saved persist even through deleting and reinstalling the application.

It sounds like there is a session cookie persisting in the browser. Logout occurs on multiple layers, the application, the auth server (with a cookie), and with the IdP. Can you try this?