Hi folks,
Long post following.
I think it’s important to note that clearSession clears the Auth0 session and optionally the IdP session from your system browser. You can simply remove access tokens and/or refresh tokens within your app to “deauthorize” the app itself. However, note that existing SSO sessions could allow the user to “log in” to the app again without entering username/password, which may be confusing to the user and/or not what you want to happen.
Let’s dig into this some more:
The SDK currently uses (assuming iOS13) ASWebAuthenticationSession to open a web browser for the user. This has the following properties:
- The iOS native
"AppName" wants to use "tenant"to sign in prompt will appear when you want to use shared cookies in Safari. This is a hard requirement of Apple’s implementation and can’t be changed. The current behavior of the Auth0 Swift SDK is to use shared cookies, but this optional within ASWebAuthenticationSession and we discuss a way around it later. - Since we’re using shared cookies, Safari will have access to any existing SSO sessions (that is, if the user had an existing Facebook session and chose Facebook sign-in they would not be prompted for Facebook username/password)
- Reference: Apple Developer Documentation
As far as experiencing the “wants to sign in with…” native prompt when calling clear session, we’re stuck with it due to the cookie behavior we’re using in the SDK. However, here are some things to consider:
- We can minimize the login/logout calls to the browser by storing a refresh token locally (Auth0.swift: Save and Renew Tokens)
- We can revoke the refresh token instead of “logging out”—this could confuse users when they try to “log in” again because they may have an SSO session stored in the system browser and may not have to enter username/password. Reference: GitHub - auth0/Auth0.swift: Auth0 SDK for Apple platforms
- You can work around this with short Auth0 sessions (like a 5 minute session…by the time the user tries to sign in again the session will be long expired)
- you can force force new “log in” attempts to require username/password by storing the logout time in the keychain when revoking the token, and using this to calculate an appropriate max_age to send to the /authorize endpoint to require reauthentication (e.g. max_age = date.current - date.last_logout - 10000 …10000 being some appropriate clock skew fudge factor).
Another solution involves forking the Auth0 Swift SDK or rolling your own logic. The iOS ASWebAuthentication method can be called with prefersEphemeralWebBrowserSession set to True. This opens a Safari instance that does not use shared cookies and users will not see the “wants to sign in with…” native prompt. However, the browser session will not have access to any SSO sessions. If you don’t need or care about SSO this may be a good option for you. It’s possible in the future we could add a configuration option in the Auth0 Swift SDK that would force it not to use shared cookies (please post here if this a feature you would use).