search

authgear / authgear-server

Open source alternative to Auth0 / Firebase Auth
https://www.authgear.com
Apache License 2.0
73 stars 30 forks source link

[iOS] Login sessions survive after app deletion and re-installation #2674

Open fungc-io opened 1 year ago

fungc-io commented 1 year ago

Problem

It is the default behavior of Apple Keychain which the items will not be removed after deletion of the app. As Authgear is storing the refresh token in keychain on iOS, the login session will survive in re-installation

Sometimes this behavior is not desirable to a user.

Appetite

??

Solution

Thread in Apple Developer Forum suggests:

you can effectively implement an auto delete feature by entangling the secret you store in the keychain with a key that you store on disk. If the app gets deleted that on-disk key goes away and you effectively lose access to the keychain item.

Reference: https://developer.apple.com/forums/thread/36442

fungc-io commented 4 months ago

Reported by another user today that is using WebKit WebView UI implementation that, after reinstallation, the cookie session inside webkit webview is lost; while the app itself is still AUTHENTICATED. This is quite confusing for the developer.

It's best if we can switch the default such that the refresh token in keychain is lost after reinstall.

chpapa commented 4 months ago

We should beware that for anonymous users, we shall keep the current behaviour. (Or have another issue for the "feature of anonymous users retained between installations" in future)

louischan-oursky commented 6 days ago

Things to consider when designing the approach