Closed jmz527 closed 4 years ago
@jmz527 thanks for raising this. Sounds like an easy fix, provided we document the option only affects iOS. @Widcket can you think of any reason to keep the value hardcoded to false?
Hi @jmz527, when you're using { ephemeralSession: true }
there's no need to call clearSession
because there's no cookie to remove. It's like using a browser in incognito mode.
@Widcket that's exactly what you said in #294. Yes, I understand there's no cookie to remove. As I said, I still need to use clearSession
.
Also, I just tested, and I'm receiving this undesired popup on calling clearSession
regardless of whether I use { ephemeralSession: true }
in the initial auth0.webAuth.authorize
method or not. So what about that use case?
@jmz527 can you please share more details about your use case? Why do you still need to call clearSession
?
@Widcket We're only using auth0 for the initial authentication but not continued session handling. So once the user triggers a new login, auth0 doesn't prompt for re-authenticating, it just uses the previous state to re-authenticate.
Our desired result is for our users, to logout without being prompted by this popup, and then when returning to login again, to be prompted to re-authenticate using auth0.
@jmz527 you can add prompt: 'login'
to the authorize
call parameters to force a new login prompt:
await auth0.webAuth.authorize(
{ scope: 'openid profile email', prompt: 'login' },
{ ephemeralSession: true },
);
@Widcket yes, I know. I've tested that out before. It still doesn't solve the issue with the popup on logout.
@jmz527 sorry, I'm not following. As I understand, you need to call clearSession
to get a new login prompt the next time you call authorize
, but you can achieve that with prompt: 'login'
. Is there any additional reason for you to call clearSession
?
@Widcket No, no, the purpose of calling clearSession
is not to get a new login prompt. You're missing several steps. The purpose is to have our app call the /logout
endpoint on our auth0 domain clearing the session server-side.
As I understand it, there is the Application Session Layer, the Auth0 Session Layer, and the Identity Provider Session Layer....hold on, I'm going to get our backend engineer involved.
Aforementioned backend engineer here 👋 👨💻
As far as I'm aware, prompt: 'login'
is an option - although it just feels a bit weird to me to rely on the query params to force re-authentication rather than invalidating the session via /logout
, but that's from my web-centric mindset where people have an easier way to modify the request values. Technically speaking, either route is an option - although it does feel like there should be support for the logout view to not have the consent prompt as the authorize
method has.
Hey @Widcket, just checking in. Any updates on this?
@jmz527 @JensAstrup I haven't tested this myself, but I'm not sure if there's a server-side session being created. Otherwise, if you try to authenticate from a different browser than the one you've logged in previously, it should go through instantly, right? And that's not the case last time I checked. Steps to try this:
What @Widcket said above, that I was missing context on, is that the "ephemeral" iOS browser acts as an "incognito" window. So launching the logout endpoint on a new incognito tab will not clear any cookies because there are no previous cookies on that browsing session.
Does that make sense?
Here's a video showcasing the difference:
Will close this one, if you need further guidance please ping.
Sorry for the delay in getting back to y'all. And sorry in general.
Y'all were right - we were conflating things on our side. @lbalmaceda @Widcket
Hi @jmz527, when you're using
{ ephemeralSession: true }
there's no need to callclearSession
because there's no cookie to remove. It's like using a browser in incognito mode.
Hey @Widcket. As far as I understood ephemeralSession
has no affect on android so I assume there is no option for disabling SSO on Android? If so, then with ephemeralSession
set to true I still need to call clearSession
on logout to clear cookies on Android devices. Am I right?
@emzet93 yes, you still need to call clearSession
on Android.
@Widcket thanks! I couldn't find any info about that in docs and code. And what about prompt: 'login'
param in authorize
method. Does it prevent saving cookies in browser somehow or it just force the browser to show login screen every time?
@emzet93 prompt: 'login'
as you said, it just forces the browser to show the login screen every time. It has no effect on the cookies.
This is still an issue.
RN 0.63.4, iOS 14.4, react-native-auth0@2.7.0 - after calling clearSession modal with Sign In is showed. It doesn't matter if is set prompt login, ephermalSession on true or sth else. Always after clearSession is modal... It totally breaking UX.
Is any option to not show this modal like on Android and just clear a session?
Hi @irekrog, can you please confirm if in your app:
ephemeralSession
and prompt:login
on the login callclearSession
only on Android, not on iOS@Widcket
I am calling clearSession on iOS and I have a this modal https://user-images.githubusercontent.com/909292/91794499-d2cbe180-ebe0-11ea-9975-d1be08686b4b.png I tried with/without ephemeralSession
and prompt:login
and always when running clearSession above modal is showed.
@irekrog Please do not call clearSession
on iOS if you’re using ephemeralSession
on the login call, it is not necessary.
@Widcket
Ok, what if case when I set ephemeralSession
to false and call clearSession
on logout?
@irekrog In that case the pop up is unavoidable. It’s generated and handled by iOS and there’s nothing we can do about it.
Description
I am receiving an "allow this app to share..." permissions dialog when using the
clearSession
method during my app's logout flow, and I would prefer the popup not to appear.This issue has been raised before #294. In that thread it was suggested, at some point, to not bother with 'logout' and to "just remove the tokens from the app." That's fine for most apps. However, in my particular case, the app I'm working on needs to make this auth0 'logout' call.
I noticed the clearSession method does accept an
options
argument, but when callingagent.show
on line #138 ofwebauth/index.js
, the argument forephemeralSession
is hardcoded asfalse
.Could we have that value default to
true
, or maybe allow it to be set byoptions
? I've already done a test run, and this would solve the issue.Reproduction
This issue is occurring in a typical react-native app, during a redux action/dispatch.
The app signs in users with the following:
Which works perfectly well. But then, when it comes time to sign out, we use:
And, in doing so, are met with:
Environment