webAuthClient.SignOut was successful but doesn't clear browser session

[satyajitvure91]

I'm trying to signOut of Okta and was able to do that successfully using webAuthClient.SignOut and the onSuccess callback was triggered. But when I try to signIn again the browser returns the previous session. am I missing anything here?

    @Provides
    @Singleton
    fun provideWebAuthClient(
        config: OIDCConfig,
        @ApplicationContext context: Context,
        encryptedSharedPreferenceStorage: EncryptedSharedPreferenceStorage
    ): WebAuthClient {
        return OktaClient.WebAuthBuilder()
            .withConfig(config)
            .withContext(context)
            .withStorage(encryptedSharedPreferenceStorage)
            .setRequireHardwareBackedKeyStore(false)
            .browserMatchAll(false)
            .supportedBrowsers("com.android.chrome")
            .create()
    }

This is what I'm doing on clicking logout

activity?.let { webAuthClient.signOut(it, ALL, object: RequestCallback<Int, AuthorizationException>{
            override fun onSuccess(result: Int) {
                if (result == SUCCESS) {
                    Log.d("LSV", "onSuccess: signed out")
                }
            }

            override fun onError(error: String?, exception: AuthorizationException?) {
                Log.e("Error", exception?.localizedMessage.toString())
            }
        }) }

Now when I go back to sign in page and click login, the browser opens and redirects to the app with the previous session.

[JayNewstrom]

Please have a look at our sign out documentation. https://github.com/okta/okta-oidc-android#sign-out

You need to use the signOutOfOkta method in order to sign the user out from the browser too.

[satyajitvure91]

Thank you @JayNewstrom I have updated the logout call

override fun logout() {
        if (webAuthClient.sessionClient.isAuthenticated) {
            activity?.let {
                webAuthClient.signOutOfOkta(it)
            }
        }
    }

And in the callback, I am clearing the sessionClient too

private fun registerWebAuthCallback() {
        webAuthClient.registerCallback(
            object : ResultCallback<AuthorizationStatus?, AuthorizationException?> {
                override fun onSuccess(status: AuthorizationStatus) {
                    if (status == AuthorizationStatus.AUTHORIZED) {
                        Log.d("LSV", "onSuccess: LoggedIn")
                    } else if (status == AuthorizationStatus.SIGNED_OUT) {
                       Log.d("LSV", "Signed out")
                       webAuthClient.sessionClient.clear()
                    }
                }

                override fun onCancel() {
                    // authorization canceled
                    Log.d("Cancelled", "cancelled")
                }

                override fun onError(msg: String?, exception: AuthorizationException?) {
                    Log.e("Error", msg.toString())
                }
            },
            activity
        )
    }

And I am calling registerWebAuthCallback() in onViewCreated() . I can see in logcat that "Signed out" message is printed and I also made a check to see if tokens are empty before calling the webAuthClient.signIn() method. But for some reason in the browser, I see that previous session still persists.

[JayNewstrom]

Can you recreate this in our sample applications? We're not seeing this behavior there.

[satyajitvure91]

I tried the sample app with our organization's configuration and I still see the same issue. I sign out and clear data and I try to sign in but the same thing happened on the sample app as well.

[JayNewstrom]

@satyajitvure91 could you try creating a new dev org and trying with another basic configuration?

[satyajitvure91]

I actually did try that with my own sample dev configuration and it is working as intended. Is it something to do with our organization's setup?

[JayNewstrom]

Does your endSessionRedirectUri match what's in the admin console? Does your discoveryUri match what's in the console?