IOS+Android issue. authorize() automatically logs users in WITHOUT ASKING FOR CREDENTIALS

[DiegoRealpe]

Issue

App Auth leverages the native browser to sign in users, this works all right when I sign in once. However, afterwards there is no apparent way to sign users out (unless you crash and reset the app).

Why?

After I log out my first user to log in a different user (clearing tokens/revoking tokens/hitting the logout endpoint to revoke provider's session), I navigate to my login screen and call authorize() again and instead of prompting for new credentials, it just logs in my first user AGAIN, and even worse, it doesn't even ASK for credentials anymore.

As far as I was able to deduce, the native browser that App Auth is leveraging, caches a local session with no way of clearing it, with the lovely feature of using this cached session to re-login my first user and exchanging for a fresh pair of access and refresh tokens, that I dont want them to have anymore.

I cant find how to revoke the local session that App Auth is storing. It stays active until the app is terminated but no other ways to log out and log back in.

[kadikraman]

You can configure this using additionalParameters. If you pass in:

additionalParameters: { prompt: 'login' }

then the user will always be shown the login prompt.

[Danushka50]

You can configure this using additionalParameters. If you pass in:

additionalParameters: { prompt: 'login' }

then the user will always be shown the login prompt.

Thanks a lot and save the day...

[gargacharya]

You can configure this using additionalParameters. If you pass in:

additionalParameters: { prompt: 'login' }

then the user will always be shown the login prompt.

This does not help me after applying this parameter it still does not ask to login again.

[kuzkokov]

Same here, this additional parameter doesn't do anything on an android emulator. But on iOS it seems to be default behavior: it asks credentials every time even when I remove the parameter. Actually, none of the additional parameters doesn't seem to have any effect at all.

@kadikraman do you have any ideas why is this could happening?

[mcousillas6]

Same issue here, any ideas on how we can clear browser cache on every auth call?

[francisleigh]

Yeah clearing browser cache would be V useful.
At the moment I can't log a user out when using PKCE flow.

If I log a user out and then click "Log in" which triggers the authorize method, it logs me back in automatically which is useful but not useful if say another user wants to log in on the same device.

[francisleigh]

See this answer with regards to Android Custom Tabs and not being able to clear their storage... this is a pretty blocking bug for me and I imagine for a lot of other users.

[kuznetsov-from-wonderland]

Any solutions here?
additionalParameters: { prompt: 'login' } doesn't work

[Robiullah2244]

You can configure this using additionalParameters. If you pass in:

additionalParameters: { prompt: 'login' }

then the user will always be shown the login prompt.

In my case, do not log out from the internal browser when logout from my app. For that, if I add additionalParameters: { prompt: 'login' }, then the browser takes me to the website as the logged-in user. Do you have any solution to this situation? I will be glad if you help me out

[imariic]

This is still an issue and I don't know how to fix it. Can somebody help me? I added additionalParameters: { prompt: 'login' }, but it didn't work.

[saurabh297]

Hi All,
I am also facing same issue additionalParameters: { prompt: 'login' }
it does not work please help me out if anyone resolved it.

[mus2mgit]

Did anyone resolve this... a big blocker for me. As everyone said on iOS the additional parameters doesn't do anything.

[mus2mgit]

I resolved it by calling the logout() function with endSessionEndpoint and postLogoutRedirectUrl set properly. It resets the session.