SFAuthenticationSession/ASWebAuthenticationSession并注销 [英] SFAuthenticationSession/ASWebAuthenticationSession and logging out

问题描述

我打算将应用程序从具有SFSafariViewController的旧OAuth流程切换到具有iOS 11的SFAuthenticationSession的新流程.登录不是问题，转移到新API花费了我几分钟的时间来实施.但是注销使我感到困惑.

I'm planning to switch an app from the old OAuth flow with the SFSafariViewController to the new flow with iOS 11's SFAuthenticationSession. Logging in isn't an issue, the transfer to the new API took me a few minutes to implement. However logging out has me baffled.

如何?

我找不到想要提供登出文档任何位置的选项的任何提及.使用旧的SFSafariViewController来使cookie无效?不，他们不再与SFAuthenticationSession共享.一旦我重新启动身份验证会话，用户将自动登录并且没有出路.那么如何启用注销呢?还是我只是忽略了完全显而易见的东西?

I can't find any mentioning of wanting to offer the option of logging out anywhere in the docs. Using the old SFSafariViewController to invalidate the cookies? Nope, they're not shared anymore with SFAuthenticationSession. As soon as I restart the authentication session the user get's logged in automatically and there's no way out. So how to enable logging out? Or am I simply overlooking something completely obvious?

更新: 从技术上讲，我找到了一种可行的方法"，但这对用户来说却是个傻瓜:在注销页面上打开一个新的SFAuthenticationSession，以清除cookie.但这意味着注销警报视图时，会再次询问用户是否要通过该服务登录.如果选择 yes (登录")，则打开cookie清除注销页面，用户必须手动关闭视图，完成处理程序可以捕获该视图，并且我们知道可以打开该视图.再次登录视图..显示登录提示以注销?我真的不喜欢这种解决方案.

Update: I found a "way that works" in a technical sense, but it's bonkers for the user: Open a new SFAuthenticationSession on the logout page that clears the cookie. But that means when logging out the alert view asks the user again whether he'd like to log in via the service. If yes is selected ("logging in"), the cookie clearing logout page is opened, the user has to manually dismiss the view, which can be caught by the completion handler and we know we can open the login view again.. displaying the login prompt to log out? I really don't like this solution.

有什么想法吗?我仍然忽略了一个完全显而易见的解决方案吗?

Any ideas? Am I still overlooking a completely obvious solution?

更新2:由于到目前为止没有人对此问题有任何线索，因此这可能并不容易.我已通过其报告工具向Apple提出了建议，以阐明如何处理该问题或将其构建到API(如果不可用)中.如果得到答案，将发布.

Update 2: As no one has any clue about this issue so far, this is probably not an easy one. I have filed a suggestion with Apple via their report tool to either clarify how to handle this or build it into the API if not available. Will post if I get an answer.

更新3:在进一步思考问题之后，我们发现了另一种可能的解决方案(尽管也没有吸引力).如果您可以影响OAuth提供者的登录页面，则可以使Cookie寿命很短.这样就可以在不自动登录的情况下打开登录页面.但是，这扼杀了在应用程序之间共享登录会话的整个目的..并且您需要能够影响登录页面.

Update 3: After pondering the issue a bit more we found another possible (although also unattractive) solution if you can influence the login page of the OAuth provider: make cookies very short lived. Then the login page can be opened without automatic log in. However this kills the whole purpose of sharing login sessions between apps.. and you need to be able to influence the login page.

更新4:自iOS 12 SFAuthenticationSession起已弃用，并由ASWebAuthenticationSession取代.但是，ASWebAuthenticationSession不会更改注销方面的任何内容.仍然不可能.与以前一样.

Update 4: Since iOS 12 SFAuthenticationSession is deprecated and got replaced by ASWebAuthenticationSession. However ASWebAuthenticationSession does not change anything in regard to logging out. It's still not possible. Same issue as before.

推荐答案

2020年11月更新:我们使用@ react-native-community/cookies清除cookie作为一种解决方法.参见以下摘录的示例.

Update November 2020: We used @react-native-community/cookies to clear cookies as a workaround. See the snipped below as an example.

import CookieManager from '@react-native-community/cookies';

CookieManager.clearAll().catch(e => alert("Error deleting cookies during logout"))

从2020年4月开始的先前答案.这对于任何为此苦苦挣扎的人都是有帮助的.我花了几个小时来测试不同的选项，浏览应用程序并查看它们的工作方式并阅读论坛/讨论.

Previous answer from April 2020. This may be helpful for anybody struggling with this. I've spent few hours testing different options, going through apps and looking how they do it and reading forums/discussions.

1. 我还没有找到以编程方式清除cookie的方法，而且Apple上也没有关于此的文档.
2. 以FB为例.从Safari注销并删除FB应用无济于事.如果您之前通过ASWebAuthenticationSession或SFAuthenticationSession登录一次，则所有下载的应用程序都不会要求登录FB.
3. 如果用户询问如何强制登录(即使这不是开发人员的问题)，也可以将其指向:设置-> Safari->进阶->网站数据->删除所有网站数据(或仅删除提供商的数据).
4. 如果您的用例需要切换用户(例如在我们使用Azure AD且用户共享1部电话的情况下)，则有2个选项. A)用注销端点打开ASWebAuthenticationSession(如上所述，这是非常奇怪的UX). B)将Safari作为一个单独的应用程序打开(不在您自己的应用程序中)，然后在其中登录/注销.不幸的是，如果OAuth提供者不支持注销后重定向，则无法在注销后将用户重定向到您的应用.

1. I haven't find a way to programatically clear cookies and there is no documentation on Apple on this.
2. Using FB as an example. Logging out from Safari and deleting FB app doesn't help. Any app which is downloaded will not ask for login to FB if you logged in once before through ASWebAuthenticationSession or SFAuthenticationSession.
3. If users ask how to force login (even though it's not your problem as a developer) you can point them to: Settings -> Safari -> Advanced -> Website Data -> Remove All Website Data (or just the ones for the provider).
4. If your use case needs switching of users (like in my case where we use Azure AD and users share 1 phone) you have 2 options. A) Open ASWebAuthenticationSession with the logout endpoint (as mentioned, this is very weird UX). B) Open Safari as a separate app (not inside yours) and do login/logout there. Unfortunately, there is no way to redirect the user to your app after logout if the OAuth provider doesn't support redirect on logout.

很烂，因为这会阻止开发人员在iOS上为业务需要在多个用户之间共享设备并且OAuth用作身份提供者的用例创建良好的体验.

It sucks because this prevents developers from creating nice experiences on iOS for use cases where a business needs to share device between multiple users and OAuth is used as identity provider.

这篇关于SFAuthenticationSession/ASWebAuthenticationSession并注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！