search

okta / okta-oidc-android

OIDC SDK for Android
https://github.com/okta/okta-oidc-android
Other
60 stars 45 forks source link

WebAuthClient signOutOfOkta not clearing device browser session #331

Closed alizaidi606 closed 1 year ago

alizaidi606 commented 1 year ago

Describe the bug?

When the login cycle initiates it opens custom tabs based browser where after entering credentials it successfully redirects back to the app. A session is also created in the device browser.

But when signOutOfOkta is called, the SDK does not clear the device browser's session.

What is expected to happen?

Since the device browser session is created upon webAuthClient.signIn it should also be cleared on webAuthClient.signOutOfOkta .

What is the actual behavior?

The device browser session is not cleared and the user remains logged in to the device browser.

Reproduction Steps?

Additional Information?

No response

SDK Version

Tested on Android 9

Build Information

No response

JayNewstrom commented 1 year ago

Hi @alizaidi606 I'm not able to reproduce this. Do you see any errors in the logs? Can you recreate this with one of our samples? https://github.com/okta/samples-android/tree/master/browser-sign-in

alizaidi606 commented 1 year ago

@JayNewstrom thanks for the response, let me try this with this sample.

alizaidi606 commented 1 year ago

@JayNewstrom same behavior with this sample as well, signOutOfOkta does signs out from the application but the session persists in the device browser.

JayNewstrom commented 1 year ago

Can you tell me more about how your org is setup in the Okta admin dashboard, or reach out to support. This is definitely a behavior that we shouldn't see, but I can't reproduce it.

alizaidi606 commented 1 year ago

Ok, let me try reaching out to the support as I am not sure I'll be able to explain everything here.

Just to re-confirm upon calling webAuthClient.signOutOfOkta, the device browser session should also clear right? not just the custom-tabs session.

In my case I tried with Gmail and also our organization g-suite domain and both remain logged in to the device browser after webAuthClient.signOutOfOkta.

JayNewstrom commented 1 year ago

Signing out of Okta will not sign you out of social IdP (such as Google), if you're signing in with them. If your org is setup to always use that social IdP, it will try to recreate your Okta session using the social IdP, which might make it seem like your Okta session wasn't removed.

JayNewstrom commented 1 year ago

I'm going to close this issue for now, but if something new comes up, let me know and I can reopen.