FugiTech
commented
8 years ago While this was a bug when we released HTTPS everywhere, it was fixed on the 14th. If you are still experiencing this behavior let us know.
Closed adriancretu closed 8 years ago
FugiTech
commented
8 years ago While this was a bug when we released HTTPS everywhere, it was fixed on the 14th. If you are still experiencing this behavior let us know.
adriancretu
commented
8 years ago Hi. Thanks for closing this so quickly, but I opened this issue long after the 14th, and yes, I am still experiencing this behaviour. Tapping on the "Not you?" link inside an OAuth WebView will open a black page with nothing on it. For what it's worth, I am using Android 6.0.1 with latest updates, on a Nexus 6.
Hi. I'm the developer of this Android live-streaming app.
It uses v3 of the Twitch API for user authentication, getting the channel and stream, and updating the channel. But I have a problem - can't log out the current user, and I suspect a problem on Twitch's side. These are the steps I'm following, using the Implicit Grant flow method:
Normal / first login:
When I try to load a second time a WebView with an authentication URL and a new OAuth state, it redirects automatically to the OOB url and a new access token. So, single sign-on works as expected, and the automatic redirect I suspect it has to do with Android and Twitch caching some cookie on the user's side.
Problem: want to login with a different user, So, as indicated in the docs, I append the "force_verify=true" argument to the URL. The WebView respects this option, it displays a confirmation page that asks again for app permission (note that it also shows me the logged-in account name, not sure if this should happen?!), and also has a link with "Not you?", to change the user.
So, I click the "Not you" link. A black screen appears, and this is how it remains forever. Additionally, using a PC and accesing an authentication link with "force_verify=true" will redirect to the main website instead of asking for new user credentials.
Is this intended behaviour, or am I missing something? The only way I can truly log-off a user currently is by clearing the application data, which deletes the web cookie that probably contains some encrypted info for the already logged in user. But this is ofcourse not a solution.