Suppress system dialog and browser pop-up after Sign Out when using Social Sign In / Hosted UI

[fotiDim]

Updated Request

Feature Request

The ability to sign out a user that is signed in via Hosted UI without presenting the user with a system dialog or opening a browser window.

Suppressing the system dialog and/or browser window should not compromise security or UX. That is, tokens that allow the user to obtain a valid Cognito session should not remain in the browser, and users should be able to sign out and sign in with a new user.

Context

When a user signs in with Hosted UI, Cognito sets a session token in the browser. This token is valid for 1 hour and allows the user to fetch a valid Cognito session without re-authenticating. When signing a user out, this token needs to be cleared by launching the logout URI. This presents a system dialog to the user on iOS, and briefly opens and then closes a browser on Android.

Original Request

Describe the bug
We wanted to avoid getting the native sign-in dialog when signing out. This dialog comes from iOS itself when using the ASWebAuthenticationSession framework (aka SSO for iOS) and is not customizable. It is misleading as it mentions "Sign In" even though the user is signing out.

We tried instead to sign out by opening Congito's logout url in Safari but it seems that the native iOS SDK persists the token in the keychain. We verified that by deleting and reinstalling the app and seeing that we were still logged in automatically.

We need a way to clear the keychain silently without triggering the ASWebAuthenticationSession dialog. The native iOS SDK already has this method. Please Expose signOut() from the native iOS SDK. Currently the Flutter SDK is using signOut(options:completionHandler:).

Sign out will be a 2 step process for us:
- Call signOut() in order to clear the keychain (without getting the ASWebAuthenticationSession dialog)
- Open Congito's logout url in Safari in order to clear the cookies from Safari

Platform
Amplify Flutter current supports iOS and Android. This issue is reproducible in (check all that apply):
[] Android
[x] iOS

[haverchuck]

@fotiDim When you say "Please Expose signOut() from the native iOS SDK", what exactly do you mean? amplify-ios or aws-sdk-ios? I am assuming you mean aws-sdk-ios but I would like to make sure. And you want this method exposed because it clears the keychain without opening Hosted UI or presenting an ios dialog?

[fotiDim]

@haverchuck I am referring to this signOut() method. I guess it is part of the aws-sdk-ios. Correct, we need it in order to clear the keychain without getting the iOS dialog.

[haverchuck]

@fotiDim Are you still wanting to avoid the native sign-in dialog when you signIn?

[haverchuck]

Related to this issue

[fotiDim]

@fotiDim Are you still wanting to avoid the native sign-in dialog when you signIn?

@haverchuck yes, nothing changed on our side.

[rmargolinross]

#379

[DriftingShadows]

@fotiDim Are you still wanting to avoid the native sign-in dialog when you signIn?

The biggest issue seems like it popping up when signing out, not signing in.

[haverchuck]

@fotiDim I realize this isn' the exact use case here, but I want to call out that we've implemented a preferPrivateSession flag in the signInWithWebUI API:

await Amplify.Auth.signInWithWebUI(
  options: const CognitoSignInWithWebUIOptions(
    isPreferPrivateSession: true
  )
)

[Washoo]

@fotiDim I realize this isn' the exact use case here, but I want to call out that we've implemented a preferPrivateSession flag in the signInWithWebUI API:

Using the sign in with social identity providers keeps showing the pop-up.

[Jordan-Nelson]

@Washoo If you are still seeing the pop-up with preferPrivateSession set, can you share the code snippet where you are invoking this?

[Jordan-Nelson]

Hello everyone - I wanted to give an update since it has been a while without one.

preferPrivateSession is currently the only way to prevent the dialogue from showing on sign out. This dialog (and the browser window on Android) displays because Amplify opens the Hosted UI logout endpoint after sign out. This endpoint is used to clear the session cookie which is set by Cognito during Hosted UI sign in. This cookie is a session token that lasts one hour, which prevents users from having to re-authenticate for that time period. We clear this on sign out for two reasons -1) security, and 2) to allow another user to sign in.

The original request was to expose the logout API from the SDK, which doesn't show the dialog. The issue with this is that it does not clear the token. Also, we are moving to a pure dart re-write, so exposing something from the iOS SDK doesn't really make sense.

I think the feature that most folks are looking for is for a way to not show the dialog and/or browser. To do this we need to prevent the token from being set in the browser. preferPrivateSession prevents all cookies from being set on iOS, so it is one way to accomplish it. preferPrivateSession has the consequence of preventing all cookies from being set though, not just this token. This also doesn't help on Android, where a browser window shows on logout.

I think it makes sense to update this issue to reflect the request to suppress any dialog or browser from showing on logout (without compromising security and user experience). Please let me know if there anyone is looking for something different than this.

[Jordan-Nelson]

One possible option for resolving this is to prevent Cognito from setting the token in the browser. There is a similar request in Amplify-JS - aws-amplify/amplify-js#3933

[mridboy96]

Hi I have been reading through all the updates with regard to the browser redirection / dialogs being shown up when user signs out when using hostedUI.
On my iOS device the preferPrivateSession works as expected, however on my android device there is still a browser redirection that is happening. I have also been keeping track about the developer preview version that solves / makes this functionality much more seem-less, however until the stable version is released I am just trying to understand if there is anything different we need to do for the android OS to prevent the redirection (I have both preferPrivateSession and global sign out added in my setup)