Auth0 Home Blog Docs

Swift login alert shows up when you logout

Exact same issue

This is our login code , we follow code sample.

  func login (handler:(() -> Void)?) {
        Auth0
            .webAuth()
            .scope(Constants.scope)
            .audience(Constants.domain)
            .start { [weak self] in
                switch $0 {
                case .failure(let error):
                    // Handle the error
                    print("Error: \(error)")
                case .success(let credentials):
                    _ = self?.store(credentials: credentials)
                    if let handler = handler {
                        handler()
                    }
                }
        }
    }

This is our logout code

    Auth0
            .webAuth()
            .clearSession(federated: true) { [weak self](sucess) in
                if sucess {
                    self?.accessTokenRefreshtimer?.suspend()
                    self?.accessTokenRefreshtimer = nil
                    self?.credentials = nil
                    self?.credentialsManager.clear()
                }                
        }

When we logout, the login alert will show up

1 Like

Hey Sean!

Can you provide me with more context around it? I’d really appreciate if you share what version of the SDK you’re using + what device you’re testing it on.

Thanks a lot for that!

Version: Auth0 (1.14.1)

We tried on multiple devices such as X,8, and also simulators. So it is not specific to any particular device.

Thank you! Let me investigate it and get back to you once I find something!

1 Like

Let me know if you still need more information.

Thank you @sean.liu! I contacted you via DM regarding this case.

I also have the same issue.Is there any solution for this?

What is the solution to this? Calling
Auth0
.webAuth()
.clearSession(federated: true) { … }

automatically calls the Auth0 login screen

Hi, I have been getting the same issue. Any expected timeline on when this might be fixed?

Hi Konrad,

I have the same issues, please help me on this.

Hey there @thangarajan89!

Can you provide me with screenshots and some code snippets that I can dig into? Any info / context around it will be very useful!

For logout we are calling below code,

Auth0.webAuth().clearSession(federated: true) { (isLoggedOut) in
DispatchQueue.main.async {
let keychain = A0SimpleKeychain(service: “Auth0”)
keychain.clearAll()
//Perform UI Updates
self.credentials = nil
_ = self.credentialsManager.clear()
callback(isLoggedOut)
}
}

Can you also share screen by screen (the whole flow) how it behaves? The reason I’m asking it is that with previous developers asking we weren’t able to get enough info to troubleshoot that, hence having as much additional info as possible is very helpful!

talexis@sharpsoftwaredev.onmicrosoft.com

First we are calling login using below code,

    let scope = "openid profile offline_access email ssp:post"
    let audience = "https://device-messaging-apis”

    AuthManager.shared.patchMode = false
    Auth0
        .webAuth()
        .scope(scope)  
        .audience(audience)
        .start {
            switch $0 {
            case .failure(let error):
                print("Error: \(error)")
            case .success(let credentials):
                if(!AuthManager.shared.store(credentials: credentials)) {
                    print("Failed to store credentials")
                } else {
                    self.handleSuccessLogin()
                }
            }
    }

After execute this code we will get login like below screen shot

For logout,

After pressing Logout below code we are executing,
We are calling below code when pressing logout option,
Auth0.webAuth().clearSession(federated: true) { (isLoggedOut) in
DispatchQueue.main.async {
let keychain = A0SimpleKeychain(service: “Auth0”)
keychain.clearAll()
//Perform UI Updates
self.credentials = nil
_ = self.credentialsManager.clear()
callback(isLoggedOut)
}
}

After this we are getting default alert like below screen shot, (This alert is showing both login and logout)

Thank you a lot! Let me investigate it and get back to you once I have news to share!

Any news? Same error here

Any news yet? Having the same issue

Hi folks,

I’ve started looking into this. I was able to reproduce it using our quickstart, but I don’t fully understand the cause yet, or how to fix it. I’ll be digging deeper over the next week or two so look for an update here soon.

Thanks,

Matt

Hi folks,

Long post following.

I think it’s important to note that clearSession clears the Auth0 session and optionally the IdP session from your system browser. You can simply remove access tokens and/or refresh tokens within your app to “deauthorize” the app itself. However, note that existing SSO sessions could allow the user to “log in” to the app again without entering username/password, which may be confusing to the user and/or not what you want to happen.

Let’s dig into this some more:

The SDK currently uses (assuming iOS13) ASWebAuthenticationSession to open a web browser for the user. This has the following properties:

  • The iOS native "AppName" wants to use "tenant" to sign in prompt will appear when you want to use shared cookies in Safari. This is a hard requirement of Apple’s implementation and can’t be changed. The current behavior of the Auth0 Swift SDK is to use shared cookies, but this optional within ASWebAuthenticationSession and we discuss a way around it later.
  • Since we’re using shared cookies, Safari will have access to any existing SSO sessions (that is, if the user had an existing Facebook session and chose Facebook sign-in they would not be prompted for Facebook username/password)
  • Reference: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

As far as experiencing the “wants to sign in with…” native prompt when calling clear session, we’re stuck with it due to the cookie behavior we’re using in the SDK. However, here are some things to consider:

  • We can minimize the login/logout calls to the browser by storing a refresh token locally (https://auth0.com/docs/libraries/auth0-swift/save-and-refresh-jwt-tokens)
  • We can revoke the refresh token instead of “logging out”—this could confuse users when they try to “log in” again because they may have an SSO session stored in the system browser and may not have to enter username/password. Reference: https://github.com/auth0/Auth0.swift#clearing-credentials-and-revoking-refresh-tokens
    • You can work around this with short Auth0 sessions (like a 5 minute session…by the time the user tries to sign in again the session will be long expired)
    • you can force force new “log in” attempts to require username/password by storing the logout time in the keychain when revoking the token, and using this to calculate an appropriate max_age to send to the /authorize endpoint to require reauthentication (e.g. max_age = date.current - date.last_logout - 10000 …10000 being some appropriate clock skew fudge factor).

Another solution involves forking the Auth0 Swift SDK or rolling your own logic. The iOS ASWebAuthentication method can be called with prefersEphemeralWebBrowserSession set to True. This opens a Safari instance that does not use shared cookies and users will not see the “wants to sign in with…” native prompt. However, the browser session will not have access to any SSO sessions. If you don’t need or care about SSO this may be a good option for you. It’s possible in the future we could add a configuration option in the Auth0 Swift SDK that would force it not to use shared cookies (please post here if this a feature you would use).

4 Likes

Thanks for this huge write-up Matt!