12

I have an Android app developed in JAVA. For this app I am using the IdentityServer4 as my STS and everything is working fine. But i couldn't find any implementation to logout in AppAuth library. Can anyone help me on this? I really need the logout option in my app, so the users can logout from the app when ever they want and log back in again. Any ideas, samples would be greatly appreciated.

Madhu
  • 574
  • 7
  • 14

2 Answers2

12

I am the lead maintainer of AppAuth.

Logout is usually as simple as discarding the AuthState object, in order to forget the acquired tokens. If you are referring to also signing the user out of the OpenID identity globally, there is a draft standard for this:

http://openid.net/specs/openid-connect-frontchannel-1_0.html

AppAuth does not support this, as we do not wish to include in-progress standardization work in the core library. It would be relatively simple to write an extension library to fulfill this particular purpose.

The documentation for IdentityServer4 on logout is empty, so I don't know what mechanism they provide for logout and whether it follows any particular standard (draft or otherwise). I suggest you contact the developers of IdentityServer4 for more information.

iainmcgin
  • 2,691
  • 1
  • 18
  • 24
  • Thanks for the answer. As of august 2018, the logout is still in draft (https://openid.net/specs/openid-connect-session-1_0.html#RPLogout). Does that mean that AppAuth still recommends to simply discard the AuthState Object ? – yostane Aug 02 '18 at 14:58
  • 1
    AppAuth-iOS recently added some support for logout that we intend to replicate in the Android implementation, which is mostly contingent on supporting generalized browser request dispatch and response handling. – iainmcgin Aug 14 '18 at 20:50
  • 1
    Any updates on AppAuth-Android's support for logout? – Shishir Shetty Dec 07 '18 at 19:58
  • 2
    An update to this answer would be great. Am I right in thinking using `prompt: "login"` is the recommended way of handling? – Tom Feb 18 '20 at 07:48
2

You can add .setPrompt("login") to AuthorizationRequest.Builder, and it will ask for credentials again. According to OpenId docs

https://github.com/openid/AppAuth-Android/issues/215

rafsanahmad007
  • 23,683
  • 6
  • 47
  • 62
  • this approach does not maintain the persisting of the user using the keep me signed in option. If propmt is set to login. you will not see the keep me signed in checkbox below. Meaning everythime the authorise endpoint is called, the user will need to enter their username and password instead of automatically logging them in – Chief Jul 30 '20 at 11:14
  • I thought this would solve my problem too. But the authentication server is free to ignore this request. And in my experience they usually do. Sigh. – SMBiggs Jul 09 '21 at 20:41