Appauth-android: How to forget last session?

Created on 27 Oct 2017  路  5Comments  路  Source: openid/AppAuth-Android

Hi,

I have a question, I use AppAuth-Android in my app, everything works well, but I don't know how to perform in app logout - i just want to AppAuth forgot last user logged in - because now it's automatically logging him back without asking for credentials so there is different user can't login.

I looking for something like deleting cookie in browser, I guess it should be done using AuthState but I didn't figure it out.

What should I do to achieve this goal?

Best regards

Most helpful comment

I checked a demo code, and previously I used the same approach, which only clears AuthState in the app.
If I'm not wrong clearing AuthState doesn't make anything with CustomTab used by library, and cookies stored in CustomTab can't be cleared that way, and they even shouldn't be.

Finally, after reading OpenId specification I understood that I should use "prompt" option in the request (http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
Options like login or select_account should allow force user to login again using different account even if he has a cookie in the browser.

Notice for others server must be configured to support that, eg IdentityServer 4 have two options Nonce and Login,

@v-mas Thank you, for help

All 5 comments

library by itself does not have logout mechanism, you can check example application code that manages logout: https://github.com/openid/AppAuth-Android/blob/master/app/java/net/openid/appauthdemo/TokenActivity.java#L387

it basically remove old old AuthState keeping just server configuration (so it would not need to download it again)

Thank you I will check it

I checked a demo code, and previously I used the same approach, which only clears AuthState in the app.
If I'm not wrong clearing AuthState doesn't make anything with CustomTab used by library, and cookies stored in CustomTab can't be cleared that way, and they even shouldn't be.

Finally, after reading OpenId specification I understood that I should use "prompt" option in the request (http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
Options like login or select_account should allow force user to login again using different account even if he has a cookie in the browser.

Notice for others server must be configured to support that, eg IdentityServer 4 have two options Nonce and Login,

@v-mas Thank you, for help

to test in demo app, add "prompt" to auth_config.json:

{
  "client_id": "native.code",
  ...
  "prompt": "login",
  ...
  "https_required": true
}

mPrompt to Configuration.java:

private String mPrompt;
...
@NonNull
public String getPrompt() { return mPrompt; }
private void readConfiguration() throws InvalidConfigurationException {
...
  mPrompt = getConfigString("prompt");
...
}

add to builder in LoginActiviy.java:
```
private void createAuthRequest(@Nullable String loginHint) {
...
if(mConfiguration.getPrompt() != null) {
authRequestBuilder.setPrompt(mConfiguration.getPrompt());
}
...
}

Was this page helpful?
0 / 5 - 0 ratings