auth0 / react-native-auth0

React Native toolkit for Auth0 API
https://auth0.com
MIT License
489 stars 208 forks source link

Include "ephemeralSession" option support to "clearSession" method #333

Closed jmz527 closed 4 years ago

jmz527 commented 4 years ago

Description

I am receiving an "allow this app to share..." permissions dialog when using the clearSession method during my app's logout flow, and I would prefer the popup not to appear.

This issue has been raised before #294. In that thread it was suggested, at some point, to not bother with 'logout' and to "just remove the tokens from the app." That's fine for most apps. However, in my particular case, the app I'm working on needs to make this auth0 'logout' call.

I noticed the clearSession method does accept an options argument, but when calling agent.show on line #138 of webauth/index.js, the argument for ephemeralSession is hardcoded as false.

Could we have that value default to true, or maybe allow it to be set by options? I've already done a test run, and this would solve the issue.

Reproduction

This issue is occurring in a typical react-native app, during a redux action/dispatch.

The app signs in users with the following:

await auth0.webAuth.authorize(
    { scope: 'openid profile email', mode: 'login' },
    { ephemeralSession: true },
);

Which works perfectly well. But then, when it comes time to sign out, we use:

await auth0.webAuth.clearSession();

And, in doing so, are met with:

Screen Shot 2020-08-31 at 11 21 35 PM

Environment

lbalmaceda commented 4 years ago

@jmz527 thanks for raising this. Sounds like an easy fix, provided we document the option only affects iOS. @Widcket can you think of any reason to keep the value hardcoded to false?

Widcket commented 4 years ago

Hi @jmz527, when you're using { ephemeralSession: true } there's no need to call clearSession because there's no cookie to remove. It's like using a browser in incognito mode.

jmz527 commented 4 years ago

@Widcket that's exactly what you said in #294. Yes, I understand there's no cookie to remove. As I said, I still need to use clearSession.

Also, I just tested, and I'm receiving this undesired popup on calling clearSession regardless of whether I use { ephemeralSession: true } in the initial auth0.webAuth.authorize method or not. So what about that use case?

Widcket commented 4 years ago

@jmz527 can you please share more details about your use case? Why do you still need to call clearSession?

jmz527 commented 4 years ago

@Widcket We're only using auth0 for the initial authentication but not continued session handling. So once the user triggers a new login, auth0 doesn't prompt for re-authenticating, it just uses the previous state to re-authenticate.

Our desired result is for our users, to logout without being prompted by this popup, and then when returning to login again, to be prompted to re-authenticate using auth0.

Widcket commented 4 years ago

@jmz527 you can add prompt: 'login' to the authorize call parameters to force a new login prompt:

await auth0.webAuth.authorize(
    { scope: 'openid profile email', prompt: 'login' },
    { ephemeralSession: true },
);
jmz527 commented 4 years ago

@Widcket yes, I know. I've tested that out before. It still doesn't solve the issue with the popup on logout.

Widcket commented 4 years ago

@jmz527 sorry, I'm not following. As I understand, you need to call clearSession to get a new login prompt the next time you call authorize, but you can achieve that with prompt: 'login'. Is there any additional reason for you to call clearSession?

jmz527 commented 4 years ago

@Widcket No, no, the purpose of calling clearSession is not to get a new login prompt. You're missing several steps. The purpose is to have our app call the /logout endpoint on our auth0 domain clearing the session server-side.

As I understand it, there is the Application Session Layer, the Auth0 Session Layer, and the Identity Provider Session Layer....hold on, I'm going to get our backend engineer involved.

JensAstrup commented 4 years ago

Aforementioned backend engineer here 👋 👨‍💻

As far as I'm aware, prompt: 'login' is an option - although it just feels a bit weird to me to rely on the query params to force re-authentication rather than invalidating the session via /logout, but that's from my web-centric mindset where people have an easier way to modify the request values. Technically speaking, either route is an option - although it does feel like there should be support for the logout view to not have the consent prompt as the authorize method has.

jmz527 commented 4 years ago

Hey @Widcket, just checking in. Any updates on this?

lbalmaceda commented 4 years ago

@jmz527 @JensAstrup I haven't tested this myself, but I'm not sure if there's a server-side session being created. Otherwise, if you try to authenticate from a different browser than the one you've logged in previously, it should go through instantly, right? And that's not the case last time I checked. Steps to try this:

What @Widcket said above, that I was missing context on, is that the "ephemeral" iOS browser acts as an "incognito" window. So launching the logout endpoint on a new incognito tab will not clear any cookies because there are no previous cookies on that browsing session.

Does that make sense?

Widcket commented 4 years ago

Here's a video showcasing the difference:

RocketSim Recording - iPhone 11 - 2020-10-22 20 43 25

Will close this one, if you need further guidance please ping.

jmz527 commented 3 years ago

Sorry for the delay in getting back to y'all. And sorry in general.

Y'all were right - we were conflating things on our side. @lbalmaceda @Widcket

emzet93 commented 3 years ago

Hi @jmz527, when you're using { ephemeralSession: true } there's no need to call clearSession because there's no cookie to remove. It's like using a browser in incognito mode.

Hey @Widcket. As far as I understood ephemeralSession has no affect on android so I assume there is no option for disabling SSO on Android? If so, then with ephemeralSession set to true I still need to call clearSession on logout to clear cookies on Android devices. Am I right?

Widcket commented 3 years ago

@emzet93 yes, you still need to call clearSession on Android.

emzet93 commented 3 years ago

@Widcket thanks! I couldn't find any info about that in docs and code. And what about prompt: 'login' param in authorize method. Does it prevent saving cookies in browser somehow or it just force the browser to show login screen every time?

Widcket commented 3 years ago

@emzet93 prompt: 'login' as you said, it just forces the browser to show the login screen every time. It has no effect on the cookies.

irekrog commented 3 years ago

This is still an issue.

RN 0.63.4, iOS 14.4, react-native-auth0@2.7.0 - after calling clearSession modal with Sign In is showed. It doesn't matter if is set prompt login, ephermalSession on true or sth else. Always after clearSession is modal... It totally breaking UX.

Is any option to not show this modal like on Android and just clear a session?

Widcket commented 3 years ago

Hi @irekrog, can you please confirm if in your app:

irekrog commented 3 years ago

@Widcket I am calling clearSession on iOS and I have a this modal https://user-images.githubusercontent.com/909292/91794499-d2cbe180-ebe0-11ea-9975-d1be08686b4b.png I tried with/without ephemeralSession and prompt:login and always when running clearSession above modal is showed.

Widcket commented 3 years ago

@irekrog Please do not call clearSession on iOS if you’re using ephemeralSession on the login call, it is not necessary.

irekrog commented 3 years ago

@Widcket Ok, what if case when I set ephemeralSession to false and call clearSession on logout?

Widcket commented 3 years ago

@irekrog In that case the pop up is unavoidable. It’s generated and handled by iOS and there’s nothing we can do about it.