authorize() caches credentials

[kuznetsov-from-wonderland]

Issue

IOS+Android issue. authorize() automatically logs users in WITHOUT ASKING FOR CREDENTIALS (for the 2nd time)

---

Environment

• Your Identity Provider: IdentityServer 4
• Platform that you're experiencing the issue on: both
• Are you using Expo? No
• "react-native-app-auth": "^6.2.0",

System:
OS: macOS 10.15.7
CPU: (12) x64 Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz
Memory: 307.18 MB / 32.00 GB
Shell: 5.7.1 - /bin/zsh
Binaries:
Node: 14.13.1 - /usr/local/bin/node
Yarn: 1.22.10 - /usr/local/bin/yarn
npm: 6.14.8 - /usr/local/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
Managers:
CocoaPods: 1.10.1 - /Users/myusername/.rvm/rubies/ruby-2.6.3/bin/pod
SDKs:
iOS SDK:
Platforms: iOS 14.2, DriverKit 20.0, macOS 11.0, tvOS 14.2, watchOS 7.1
Android SDK:
API Levels: 16, 23, 27, 28, 29, 30
Build Tools: 28.0.3, 29.0.2, 29.0.3, 30.0.2
System Images: android-29 | Google APIs Intel x86 Atom, android-29 | Google Play Intel x86 Atom
Android NDK: 21.3.6528147
IDEs:
Android Studio: 4.1 AI-201.8743.12.41.7042882
Xcode: 12.2/12B45b - /usr/bin/xcodebuild
Languages:
Java: 1.8.0_222 - /usr/bin/javac
Python: 2.7.16 - /usr/bin/python
npmPackages:
@react-native-community/cli: Not Found
react: 16.11.0 => 16.11.0
react-native: 0.62.2 => 0.62.2

const OAuthConfig: AuthConfiguration = {
  serviceConfiguration: {
    authorizationEndpoint: 'https://id.myserver.com/oauth2/authorize',
    tokenEndpoint: 'https://id.myserver.com/oauth2/token/',
    revocationEndpoint,
  },
  clientId: 'MY_CLIENT_ID',
  clientSecret: 'MY_CLIENT_SECRET',
  redirectUrl: 'myApp://oauth',
  scopes: ['introspection', 'profile:read'],
  additionalParameters: { prompt: 'login' },
}

If I logout, for the next login I'm not asked to enter credentials and I'm being logged in automatically. We don't want this to happen - instead we want to ask user enter credentials every time

[kuznetsov-from-wonderland]

Dear All! Any solutions?

[pke]

Hitting this also since a few days. Thinking it was a change in the OpenID Server we are using but could also be related to this module here.

[FlacorLopes]

I'm facing the same issue on Android

I've been having the same issue on iOS, but the error only shows up on iOS 14.5

Your Identity Provider: IdentityServer 4
Platform that you're experiencing the issue on: iOS
Are you using Expo? No, bare react-native
"react-native-app-auth": "^6.2.0",

iOS: It works as expected with multiple iPhone simulators running iOS 14.3, and it works as expected on a physical iPhone 11 Pro + TestFlight running iOS 14.4.2

Android: I haven't tested much on Android, but so far it's working ok on an emulated Pixel 4 w/ API 30.

Building with Xcode 12.5 and Android Studio 4.1.3

[mtoninelli]

Your Identity Provider: IdentityServer 4
Platform that you're experiencing the issue on: iOS
Are you using Expo? No, bare react-native
"react-native-app-auth": "^6.2.0",

How to trigger a full session logout that makes re-signin in IdentityServer again?

[RoBYCoNTe]

Hi,
we are having some problems too. After logout (we use revoke to execute logout, is it true?), we want to request new credentials for login but the browser automatically sign-in with old credentials.

Anyone as informations to share?

[RoBYCoNTe]

My update
After few research I've discovered this ISSUE related to OIDC: openid/AppAuth-iOS#542

I've seen this ISSUE and @kuznetsov-from-wonderland has this parameter in his configuration, I'm referring to this:
additionalParameters: { prompt: 'login' },

I've added this to my OIDC configuration and I can confirm that everything is working OK. I'm able to execute login/logout with re-entering credentials. Hope my experience can help you too.

My configuration:

• react-native 0.64.1
• react-native-app-auth 6.3.0

[Pouiiro]

any update on this ? facing same issue!

[unicornRainbows]

Same issue here..

[RyoukoKonpaku]

Likely related to #68 as you're only logging off on the app, but not the IDP itself. The browser window that opens when you initiate authorize still has the session cookie for that last valid login, that needs to be deleted by initiating an endsession redirect to the IDP (IS4 in the docs I linked) for it to remove the cookie.

Both App-Auth-Android and IOS supports these on their latest versions, not sure how in this library.
openid/AppAuth-Android#525
openid/AppAuth-iOS#259

You could also use the the revoke endpoint via revoke() on docs, but that's only supported for reference tokens if I recall.

[CptMaumau]

This is happening to me on microsoft sign in after I revoke the access manually on microsoft. I wanna know if it's a microsoft issue on session still working even thought I revoked the access or an authorize issue.

[adriancb]

We're seeing the same as @s-cannon. On iOS 14.5 or higher. 14.4 behaves as expected.

My guess, without diving deeper, is that a change to SFAuthenticationSession has happened between versions. SFAuthenticationSession is deprecated in favour of ASWebAuthenticationSession which has the prefersEphemeralWebBrowserSession property.

Useful links below:
https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service

https://developer.apple.com/documentation/safariservices/sfauthenticationsession
https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

[chefk5]

@RoBYCoNTe solution fixed the issue for me.

[DharmikSuccessive]

Issue still open, Any work around or solution?

[anshpat2826]

Any solution for it?