Revoke and or signOut causes all RefreshTokens of a given user to be removed from SSO server #215
Comments
pxmal
changed the title
|
Hi @mikenachbaur-okta |
|
Turns out that I was wrong, I just didn't have a logoutRedirectUri in my WebAuthentication object, and then a guard statement just returned since logoutFlow was nil while using signOut(from: window). I still wish that it was possible to call something like Credential.endSession() similar to Credential.revoke(), for ending session / logging out instead of revoking. When using the signOut(from: window) I get the annoying 'sign in' alert, which doesn't make any sense while logging out (I realise this is an Apple limitation). Maybe I will switch to using ephemeralSession = true, and then still use signOut(from: window), since then at least the 'sign in' alert won't appear. I do however prefer that the browser shares the session cookie, so I'm not sure yet. |
Describe the bug?
Hi,
We're experiencing an issue where when signing out, using either .revoke() and or .signOut, all of that unique user's refreshTokens are removed from the SSO server.
This is an issue if a unique user has multiple devices, and then signs out on one of the devices. Then the refreshToken on the other device is also removed on the SSO server.
I can see on the SSO server that the Event Type of the revoke / signOut is of type "REVOKE_GRANT", and not "LOGOUT".
Is there any configuration of the signOut or revoke methods that does not cause the "REVOKE_GRANT" event on the SSO that I can use?
Thanks!
What is expected to happen?
All refreshTokens should not be removed from the SSO server.
What is the actual behavior?
All refreshTokens of a user is removed on the SSO server.
Reproduction Steps?
Use two devices. Sign in on both, and then sign out on one of them.
Additional Information?
No response
SDK Version(s)
1.8.0
Build Information
No response
The text was updated successfully, but these errors were encountered: