Hello, I’m trying to implement logout functionality in my Xamarin.Forms app. I’m able to log out of my applications session (deleting tokens saved to current application, etc), but I’m not sure how to logout of Auth0. I’d like to make it so that after the user clicks logout, then when trying to log back in and redirected to the auth0 login site, they would have to retype their credentials. Currently, their credentials remain saved and i suspect i have to delete cookies, but I don’t believe the auth0oidcclient for Xamarin has logout functionality, and i’m unsure of how to use the logout endpoint as well. Any help would be greatly appreciated, thank you all!
1 Like
Auth0Client.LogoutAsync()
A problem you may run into is that LogoutAsync() simply returns a Task. It returns Task whether the user selects “Cancel” or “Continue” from the obligatory iOS prompt of “[App] Wants to Use [site] to Sign In”. This can be problematic because you may be awaiting the logout in order to clear a token or identity that you’ve stored locally in secure storage. But since Task is returned for both the Cancel and Continue scenarios, there is no way for you to know if the user actually proceeded to logout or not.
Auth0, please return at a success result of some kind for LogoutAsync(), similar to LoginAsync() and it’s Task<LoginResult>. Even something as simple as Task<bool>, with true indicating Continue and false indicating Cancel.
IdentityModel.OidcClient 2.3.1 (iOS)
There is a merged PR that addresses LogoutAsync() not returning a result:
It’s not yet in the Nuget, but it’s in the master branch.
2 Likes
Hey there jsauve,
I think I’m having a similar problem as @avocadosYUM trying to “LogoutAsync()” in my Xamarin Forms App.
I don’t understand what I should set my Allowed Logout URL as - and I haven’t found anything useful in this regards in the Xamarin docs. I believe I should send the user to: https://TENANT.auth0.com/v2/logout, but I don’t understand what the format of the URL should look like.
May I please ask you (or the Xamarin Auth0 Community) to advise on what the callback should be?
Thank you!
Hi @johnnyjohnny.
If you’re using the Auth0Client nuget (Autho.OidcClient), you just need to provide the same redirect URL that you’re also using for login.
YOUR_BUNDLE_IDENTIFIER://[tenant].auth0.com/ios/YOUR_BUNDLE_IDENTIFIER/callback
OR, if you have a custom domain setup (which is what I’m doing):
YOUR_BUNDLE_IDENTIFIER://YourCustomDomainOrSubdomain.com/ios/YOUR_BUNDLE_IDENTIFIER/callback
And of course, if your bundle identifier and package name are different for iOS and Android, make sure you enter both.
Remember that for native mobile apps, all you’re doing with the redirect URL is directing back into your app. In other words, closing the browser. That’s why you specify a scheme like “com.mycompany.myapp://” and then make sure your app knows what that scheme is by entering it in the URL types section of Info.plist: so that iOS recognizes the “com.mycompany.myapp://” scheme, which lets the browser say “Ok, I know what this is, and when I see this, open it in the app, not try to navigate to it as a webpage.” It’s so that the browser knows what to do when it encounters that custom scheme.
The https://tenant.auth0.com/v2/logout you mentioned is NOT a valid callback URL. It’s the actual endpoint that the Auth0 client calls under the hood. If you’re using that URL, then it means you’re writing your own custom client, and I’m assuming that’s not what you’re trying to do.
Does that help at all? To summarize, use the same redirect URL that’s in the Auth0 Quickstart documentation for Xamarin. Use it in “Allowed Callback URLs” AND in “Allowed Logout URLs”.
Bear in mind that at the time of this writing, 2.3.1 is the highest available version of the Auth0 client nuget package. That version doesn’t support a result from the LogoutAsync() task. So, for example, when the user is prompted by iOS whether or not they want to continue or cancel (same alert that you see with login), a Task is returned with no result. So you won’t know whether or not they proceeded to logout or if they continued. This is problematic because if you’re maintaining session state in the app yourself (which you ought to be if you want to avoid making users login frequently), then you’ll never know if you should clear your local session state or not. HOWEVER, there was a PR merge to the master branch several days ago that changed the result of LoginAsync() to Task of BrowserResult, and BrowserResult has a ResultType property. You can check ResultType == BrowserResultType.UserCancel to determine whether the user cancelled or proceeded to logout. You just won’t find that in the 2.3.1 nuget package. So you may need to build from source for now if you want that.
Better late than never… this was VERY helpful. Thank you!
1 Like
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.