Offline sign-out and improved logout UX with the Hosted UI

[james-mallory]

Is your feature request related to a problem? Please describe. When using the Hosted UI for authentication with a third-party identity provider, there are multiple issues with the sign out functionality.

1. The user is unable to fully sign out while they are offline. The page load in the presented SafariViewController fails and the user is not signed out of the app. We can locally sign them out of the app using awsMobileClient.signOut() but we have no means of clearing the cookies of the SFAuthenticationSession so the apparently signed out app is immediately signed back in if someone goes to sign in as a different user later. Due to this, signing them out locally is not an option as it gives users a false sense of being fully signed out when they are not.

2. iOS presents a warning about amazoncognito.com wanting to sign IN not OUT. This is misleading and confusing for the user.

3. A SafariViewController appears and immediately disappears when invalidating tokens. Though we appreciate it is necessary with the current set up, this behaviour feels like a bug to the user and could cause doubt that the log out process has been successful.

Describe the solution you'd like We appreciate that the current behaviour is designed to ensure that the identity provider tokens are invalidated on sign out. While this is a good idea, the downsides of the current user experience outweigh the security benefit for us. Our tokens have a short enough expiry that not immediately invalidating them isn't too much of a risk.

The simplest solutions we have come up with that hopefully has little impact on other use cases:

If the SDK was updated to use ASWebAuthenticationSession instead of the deprecated SFAuthenticationSession and the prefersEphemeralWebBrowserSession option was made available we could set that to true for sign-in. We would then be able to locally sign out the user even if they were offline and, when someone goes to sign in again, they would not be automatically signed back in as the old session cookies would not exist.

We understand that using this option would rule out invalidating the tokens using the existing sign out functionality but that's OK for our use case. Ideally, if this solution was implemented, Amplify would also be updated to support it and provide a signOutLocally method that didn't require us to use the escape hatch.

Describe alternatives you've considered We have tried various workarounds discussed in these issues but none solve the problem of the persisted SFAuthenticationSession unfortunately.

aws-amplify/aws-sdk-ios#2904 aws-amplify/aws-sdk-ios#2886 aws-amplify/aws-sdk-ios#2715 aws-amplify/aws-sdk-ios#1724 aws-amplify/amplify-ios#634 aws-amplify/amplify-ios#745

Additional context This is almost an exact replica of the following issue: https://github.com/aws-amplify/aws-sdk-ios/issues/3141. It seems they found a solution using ASWebAuthenticationSession when available in iOS 13+.

[yangtavour]

I am experiencing the same issue, would love an update on this

[elorzafe]

@james-mallory are you using React-Native or only swift?

[james-mallory]

@elorzafe I'm using React-Native

[adirsation]

I am also experiencing the issue and it's just frustrating to release it that way, if there's a fix for non react-native apps it is obvious there should be one also for React-native, please fix it ASAP!

[gadigrin]

@palpatim I saw you helped a lot in the thread referenced, any changes to get you involved here as it's just applying the same fix to the React Native package?

[AndreiDanilkovich]

same thing. Using react-native

[tannerabread]

Related #4966

[yuguoxiematrix]

I got the same issue with react-native, it's been about two and a half years...

[adirsation]

I got the same issue with react-native, it's been about two and a half years...

We implemented this whole social login process different in order to avoid those kind of issues, I really recommend it: https://medium.com/@tkobrinsky/amplify-cognito-social-login-the-correct-way-3be5cba9b520