auth0 / auth0-oidc-client-net

OIDC Client for .NET Desktop and Mobile applications
https://auth0.github.io/auth0-oidc-client-net/
Apache License 2.0
86 stars 49 forks source link

Not able to logout completely from Salesforce without completely close the app on iOS. #217

Closed huyvuskedulo closed 2 years ago

huyvuskedulo commented 3 years ago

I'm having an issue with my app by using Auth0 combining with Salesforce when logout. When we logout by using Auth0 package from salesforce, we're having troubles that we can't completely logout the current user. Look likes the cookies is still hanging around unless the user have to force close the app and opening it again. Here is the code we use to logout

var authenticationClient = new Auth0Client(
                        new Auth0ClientOptions
                        {
                            Domain = parameters.Domain,
                            RedirectUri = parameters.LogoutRedirectUri,
                            PostLogoutRedirectUri = parameters.LogoutRedirectUri,
                            ClientId = parameters.ClientId,
                        });

                    try
                    {
                        var browserResult = await authenticationClient.LogoutAsync(true);

                        Log.Investigate("Logged out successfully: {0}", browserResult == BrowserResultType.Success);

                        return browserResult == BrowserResultType.Success;
                    }
                    catch (Exception e)
                    {
                        Log.Info(e.Message);
                    }

The second problem is that seem like Salesforce never trigger redirect_url back to the mobile app. So after logout process on Salesforce, it never close the browser and the user have to close the browser manually. So we can only receive UserCancel instead of Success from BrowserResultType

What was the expected behavior?

Environment

Any information or thoughts regarding this issue will be really appreciated.

frederikprijck commented 3 years ago

Hello,

Thanks for reaching out. This SDK is a tiny wrapper around https://github.com/IdentityModel/IdentityModel.OidcClient, we are not in control of what happens when you call logout. As you can see here, our logout method just calls the underlying SDK: https://github.com/auth0/auth0-oidc-client-net/blob/master/src/Auth0.OidcClient.Core/Auth0ClientBase.cs#L75-L97.

Would you be able to see if you can use the underlying SDK directly and if the issue still persists ? I believe that might be the fastest way to identify if our SDK is causing the behavior or if it's the underlying (I am not excluding it could be us, but given the fact that we don't do much but pass-through calls, chances are a bit higher for the issue to be caused by https://github.com/IdentityModel/IdentityModel.OidcClient, which I would like to know but not an easy thing for me to do without having access to Sales Force.

I am also a bit confused about what you mean with cookies. Our SDK does not use cookies, are you perhaps talking about the cookies on the salesforce domain? Those are not maintained by our SDK. Would the Auth0 Logs tell you anything that is going wrong when doing the logout request ? If so, please share those as well.

The second problem is that seem like Salesforce never trigger redirect_url back to the mobile app. So after logout process on Salesforce, it never close the browser and the user have to close the browser manually. So we can only receive UserCancel instead of Success from BrowserResultType

I believe this could be the cause of everything. The fact that, for the underlying SDK, Logout was not successful, it wont log out the user. I believe you will need to find out why SalesForce doesn't redirect you back to the app. Again, I believe this does not necessarily have to be related to the SDK , do the logs tell you anything? I would focus on solving this problem, as long as logout isn't considered successful, I am convinced the underlying SDK will not log you out.

huyvuskedulo commented 3 years ago

Hi @frederikprijck , thanks for the reply.

But for this issue, I don't think it's related to the code of this package, ​because it's seem to working correctly with other SSOs.

For the cookies / session issue, it's actually related to this file "ASWebAuthenticationSessionBrowser" where we're using "ASWebAuthenticationSession". Somehow, the session is still hanging around when using this unless the user have to force close the app and restart again. Unless I set PrefersEphemeralWebBrowserSession = true in the option, it will solve the issue. But the problem with this one is it will initialize completely new session every time we do so, which means the user have to authenticate with OTP again every time they login (if they enable it in Salesforce), so we want to avoid that.

The issue is not actually raising a bug in the code but trying to look for information to investigate the issue because I think you guys must have much more knowledge about this than me.

frederikprijck commented 3 years ago

So what I believe is happening is the fact that the underlying SDK is not receiving a Success Event when logout is happening. Therefore, the only thing you can do is close the browser, triggering a UserCancel event. Because there was no event identifying that the logout was successful, the underlying SDK will not consider you to be logged out.

Closing and reopening the application basically resets the state of the underlying SDK, and as logout was successful (but only not communicated to the underlying SDK), the user is now considered to be logged out for the underlying SDK.

Using PrefersEphemeralWebBrowserSession is not really an actual solution to the underlying behavior I believe.

I think it could be beneficial to give the underlying SDK a spin without our SDK to see if you can reproduce the behavior. The benefit here is that we got something to work with and, potentially, send to the people that maintain that underlying SDK.

I am not excluding that the problem isn't originating from our SDK, but I believe doing the above might be the fastest to know where the issue originates.

If the sample using the underlying SDK works fine, you have something to send to us we can work with. If the sample using the underlying SDK doesn't work fine, you have something to send to the people maintaining the OidcClient.

If you do believe the issue is with our SDK, I can only ask to provide a reproduction of the problem, including access to a SalesForce instance that we can use, as we do not have any to test against ( I understand this is not ideal, keep in mind we have a support team that can help looking into these things).