SafariWebAuth.clearSession unexpectedly redirects to federated logout for non-SAML users about auth0.swift HOT 10 CLOSED

I ended up circumventing this behavior by implementing a variant of the suggestion: I only call SafariWebAuth.clearSession when my SAML users do a logout action. This allows me to do a federated logout for them and not for my Database Connection users. I identify my SAML users by looking for 'samlp' in the UserProfile sub property, as you suggested.

I chose this way because I don't have easy access to the WebAuth object to add parameters because I'm using the Lock.swift library which wraps the WebAuth object.

Thanks for your help in working through this.

from auth0.swift.

Great, as an FYI you can specify parameters in the Lock options that will be passed through to webAuth.

.withOptions {
    $0.parameters = ["prompt" : "login"]
}

from auth0.swift.

Hey @srgray can you walk me through the steps to reproduce and also what iOS you were testing on. Thx

from auth0.swift.

@cocojoe

I have tested this on iOS 10.2 and 11.1 simulators. The behavior is the same for both iOS 10/11.

Here are my Auth0 configuration details:
I have 2 types of users in my Auth0 configuration: those associated to a Database Connection and those associated to an Enterprise Connection (SAML IDP). For my SAML Connection configuration, I have specified a 'Sign Out URL'.

My iOS application, upon user action of Logout, invokes the SafariWebAuth.clearSession function with 'federated' parameter = true for all users (regardless of user type). For the SAML users, they are properly redirected to the configured SAML 'Sign Out URL' and successfully signed out of the SAML IDP (further notes on: #175 ).

But, upon Logout, my non-SAML users (Database Connection) are also redirected to the configured SAML 'Sign Out URL'.

My assumption is that Auth0 would be able to recognize the type of user and appropriately redirect only the SAML users to the SAML 'Sign Out URL'.

from auth0.swift.

If the Authentication was performed using a Database Connection, you don't really logout, all you are looking to do is clear the last login session that would be the DB connection (Presuming you are using WebAuth for everything?) so you would call clearSession without federated.

I am wondering if you call it with federated it remembers the last federated connection perhaps e.g. SAML

clearSession may not be the best option for every possible use case, you should also have a look at the SAML Logout Docs https://auth0.com/docs/logout#saml-logout.

from auth0.swift.

An alternative approach is to force a login, if you add .parameters(["prompt" : "login"])

from auth0.swift.

Yes, I am using WebAuth (through the Lock.swift library).

Can you explain more about .parameters(["prompt" : "login"]) ? Is that something to add to the WebAuth object?

from auth0.swift.

Sorry, yes add that to your WebAuth object.

login
The Authorization Server SHOULD prompt the End-User for reauthentication.

So when you have logged in for example with the Database connection, instead of calling clearSession, you could set a flag somewhere so next time you call WebAuth you add the prompt key with value login to force a reauthentication.

from auth0.swift.

OK, I'll give this a try.

What is the recommended way for my iOS app to 'know' that a Database Connection was used to login (so that I can set a flag for the next call to WebAuth)?

from auth0.swift.

Take a look at https://auth0.com/docs/user-profile/normalized/auth0#uniquely-identify-users
for the general idea.

When you retrieve the UserProfile check the sub property

from auth0.swift.