Open michelerenzullo opened 1 week ago
It might be the case that this is not really flutter_appauth issue, but more AppAuth0 or LogTo (provider), I'm not sure but please feel free to close it if you agree. For other devs that have similar issue, I opened a new issue in LogTo: https://github.com/logto-io/js/issues/765
Problem:
There is a specific circumstance where it's impossible to sign-in anymore till the deletion of
_session
cookie in Chrome(Android) or Safari(iOS), even if theprompt=login
. Related issue here https://github.com/openid/AppAuth-Android/issues/874 and how it is solvedSteps to reproduce the issue, assuming you have a signin with auto code exchange and
prompt=login
, i.e should always force a new login:PlatformException(authorize_and_exchange_code_failed, Failed to authorize: [error: invalid_grant, description: grant request is invalid], null, null)
What would be the correct flow:
prompt=login
should be a guarantee that any (corrupted or not corrupted)_session cookie previously stored in the browser won't prevent you to login againExplanations:
_session
cookie that points to "a dead" user information. The user will not be able to login anymore till he manually delete the_session
cookie in Chrome.Possible solution:
max_age: 0
along withprompt=login
perhaps inadditionalParameters
, so that the_session
cookie auto-expire. Note: 0 must be int not type String so not sure if is parsed correctly under-the-hood