FormidableLabs / react-native-app-auth

React native bridge for AppAuth - an SDK for communicating with OAuth2 providers
https://commerce.nearform.com/open-source/react-native-app-auth
MIT License
2.04k stars 441 forks source link

Silent logout react native? #994

Open Ivan-Stashak-CardinalPeak opened 5 months ago

Ivan-Stashak-CardinalPeak commented 5 months ago

Issue

I'm using Microsoft Azure ActiveDirectory for my mobile app and am attempting to achieve silent (promptless) logout. I've setup a login_hint for my id token, but I'm unable to achieve a logout UX that prevents the popping of 2 dialogs - one for the user to acknowledge that the app wishes to use microsoftonline.com to Sign In and the second to choose the user to sign out.

Is promptless logout something that has been achieved with this library in react native?

In addition, the logout() method seems to log the user out as the Azure pop-up displays the message:

You're signed out here, but you may need to manually sign out from other apps.

From here the pop-up dialog doesn't automatically dismiss, and I'm required to hit the 'Cancel' button in the top left corner in order to dismiss the dialog. This results in the logout() method returning the following error:

The operation couldn’t be completed. (org.openid.appauth.general error -3.)

I suspect that this may be due to my postLogoutRedirectUrl, which is:

'com.foo.mobile.unauth://oauth/'

Is this supposed to be an https url? I used this form due to the need to use a similar redirect for login:

'com.foo.mobile.auth://oauth/'

Note, I have no issues with login. Everything returns successfully and the Azure dialog presents with a continue button for dismissing itself after successful auth.

Environment

maddeha commented 4 months ago

Did you achieve the promptless logout ?

juanchoperezj commented 3 months ago

+1

carbonrobot commented 3 months ago

tldr; Silent logout is not part of the OAuth2.0 specification, so is not explicitly supported.

It's important to remember that OAUTH2 is a redirect flow based authorization framework. As such, it needs to redirect your browser to a URL that has access to the cookies that are stored under your IDPs domain in local storage. For security, browsers do not allow cross domain access to local storage.

The OAUTH2 specification extension RFC 7009 allows for a "revoke" endpoint.

2. Token Revocation Implementations MUST support the revocation of refresh tokens and SHOULD support the revocation of access tokens (see Implementation Note).

Which can revoke the refresh token at the IDP, but they are not required to support revocation of access tokens.

You can see the docs on how to revoke refresh tokens with this library here: https://commerce.nearform.com/open-source/react-native-app-auth/docs/usage/revoke

It may be possible to support silent logout if