1

When a user signs out of an ADAL account on iOS, they can sign back in without entering their password. As I understand this is for SSO.

Are there any reliable ways for a user to sign themselves out?

I was able to with some apps like Word when I used the Authenticator app. Then there are other apps that just have in app ADAL web UI and don't add accounts to Authenticator.

iseletsky
  • 643
  • 6
  • 16
  • 1
    How are you signing out? You need to throw away the tokens and open the web page `https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=yourappurl` – Paulw11 Jan 18 '18 at 21:24
  • This seems like a dupe of https://stackoverflow.com/questions/29029948/how-to-logout-from-ios-adal-authentication – Brandon Werner Jan 26 '18 at 18:51
  • I can try the things they talk about in the other thread. It seemed like the ADALiOS SDK was purposely obfuscating this away and that we're not supposed to wipe the tokens. I myself actually broke the login state of apps on my phone by accessing defaultCache but I can look into it again. – iseletsky Feb 09 '18 at 23:38

1 Answers1

1

One of the reasons because tokens are used is scalability. If you made a request to the Identity Provider for a request coming to your resource, you would pay a price:

  • network delay
  • computational overhead of the Identity Provider

Tokens are conceived to be self-contained, to avoid this round-trip and to distribute the computational overhead. To achieve this, tokens must be without state. Tokens are valid until they expire and deleting a token doesn't mean revoking its validity.

You might manage somehow the mechanism to revoke tokens but this would give up to the statefulness and would re-introduce the need of a communication mechanism such as a distributed cache or a database and the problems that this would entail: - network traffic - overhead for each single request - memory/disk contention

The lack of logout with token is one of the drawbacks we have to accept to make systems more scalable.

Daniele Cremonini
  • 63
  • 4
  • This is a good explanation. I see in the other thread linked from here https://stackoverflow.com/questions/29029948/how-to-logout-from-ios-adal-authentication that people are accessing defaultCache and wiping the tokens. – iseletsky Feb 09 '18 at 23:39