What are best practices for logging out when using WebAuthenticator?

[jeyoor]

We are working on a mobile application that uses OAuth2/AppAuth to authorize access to some backend APIs.

Our understanding is that Xamarin.Essentials WebAuthenticator is the recommended replacement for Xamarin.Auth for our use case going forward.

When working with Xamarin.Auth, logging out would require sending the user's browser to a logout URL to clear the cookies. See, for example: xamarin/Xamarin.Auth#204

We could do something like opening the user's browser to our logout URL like this:

public class Logout
{
    public async Task<bool> OpenLogoutPage(Uri logoutUri)
    {
        return await Browser.OpenAsync(logoutUri, BrowserLaunchMode.SystemPreferred);
    }
}

From a user experience point of view, this can seem odd/jarring.

Is this still the required/recommended way to log out when using Xamarin.Essentials WebAuthenticator?

Thank you for your work on Xamarin.Essentials!

[jamesmontemagno]

It would be the same thing here and launch the logout URI as under the hood we are using very similar functionality of the browser recommendations. There aren't direct APIs that enable cookies to be removed.

I think in iOS 13 we could actually have an option to turn on private session so it is unique each time.
https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service

However, there isn't anything for Chrome Custom Tabs.

For UWP I think it doesn't save cookies at all from what I can see: https://docs.microsoft.com/en-us/windows/uwp/security/web-authentication-broker

[jeyoor]

Thank you for the help! This information is exactly what I needed.

[Lydecker]

@jamesmontemagno please can clarify your recommendation here:

It would be the same thing here and launch the logout URI as under the hood we are using very similar functionality of the browser recommendations.

Are you saying we should:

a) continue to use Browser.OpenAsync() to logout
b) use WebAuthenticator with the logout URL as the first argument to the call?

Thanks

[Lydecker]

@jeyoor - are you using Browser.OpenAsync() for logout?

If so, how do you handle closing the Safari window on iOS given there is no Browser.CloseAsync() option in Essentials?

Thanks

[jeyoor]

@Lydecker great question.We ended up building a custom post-logout page into our web backend system. The post-logout page redirects the user to the appropriate data uri for our app.Hope this helps,JeyOn Jun 1, 2020 7:12 PM, Lydecker <notifications@github.com> wrote: @jeyoor - are you using Browser.OpenAsync() for logout? If so, how do you handle closing the Safari window on iOS given there is no Browser.CloseAsync() option in Essentials? Thanks —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

[Lydecker]

Hi @jeyoor - thanks for your quick reply.

So currently we have a custom post-logout page on our web backend which redirects the user to the custom uri for the app - so we did the same as you - however what I'm not understanding is how you automatically close the Browser in the app on iOS once the custom uri is received after logout?

Thanks

[jeyoor]

@Lydecker,Thank you for the feedback. I am not quite sure how our team specifically implemented closing the browser on iOS.I assumed that when we redirected back to the app they detected this in the AppDelegate.cs OpenUrl method and displayed an appropriate view that moved the browser to the background, but perhaps there was more to it than this...If I get more info to share I'll let you know.On Jun 1, 2020 7:51 PM, Lydecker <notifications@github.com> wrote: Hi @jeyoor - thanks for your quick reply. So currently we have a custom post-logout page on our web backend which redirects the user to the custom uri for the app - so we did the same as you - however what I'm not understanding is how you automatically close the Browser in the app on iOS once the custom uri is received after logout? Thanks —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

[hiraldesai]

I submitted an app update to iOS which was rejected when I used Browser calls to do OAuth. I ended up doing something like this based on the example @jamesmontemagno had shared in #763. I haven't had a chance to explore the new authentication extension from Xamarin.Essentials yet but my custom implementation did this.

Login call in app

                try
                {
                    var authResult = await DependencyService.Get<IAuthenticator>().AuthenticateAsync(new Uri("yourappuri://"), new Uri("url-to-oatuth-provider"));
                    if (authResult != null)
                    {
                        // Store auth result token and user account info to device
                    }
                }
                catch (Exception ex) when (ex is TaskCanceledException || ex is OperationCanceledException)
                {
                    // Intentional - user closed browser
                }

Logout call in app

            try
            {
                await DependencyService.Get<IAuthenticator>().LogoutAsync(new Uri("yourappuri://"), new Uri("url-to-oatuth-provider"));
            }
            catch (Exception ex) when (ex is TaskCanceledException || ex is OperationCanceledException)
            {
                // Intentional - user closed browser
            }

Shared IAuthenticator interface

    public interface IAuthenticator
    {
        Task<AuthResult> AuthenticateAsync(Uri appCallbackUri, Uri uri);
        Task LogoutAsync(Uri appCallbackUri, Uri uri);
    }

Custom AuthResult that extracts oAuth response into what your app needs

    public class AuthResult
    {
        public ApiToken ApiToken { get; set; }
        public UserAccount UserAccount { get; set; }
        public bool IsAuthenticated { get; set; }
    }

I then have separate IAuthenticator implementations for each platform that uses CustomTabsActivityManager for Android, SFSafariViewController for iOS and WebAuthenticationBroker for UWP to give me full control of the views presented to the user.

To answer your question @Lydecker - the iOS implementation for IAuthenticator would then have a static UIViewController that holds reference to your SFSafariViewController opened by the AuthenticateAsync or LogoutAsync calls from the app. Then the OpenUrl calls from the AppDelegate would call DismissViewControllerAsync on that SFSafariViewController to close the auth/logout session.

[Lydecker]

Thanks for this detailed reply @hiraldesai

We have done the same thing - have a reference to SFSafariViewController which we then Dismiss when logging out.

Do you know when your rejection happened, and on what version of Forms you were on? Given Browser just calls SFSafariViewController under the hood, that should not lead to rejection.

I'm wondering if your rejection was linked to this: https://docs.microsoft.com/en-us/xamarin/xamarin-forms/user-interface/webview?tabs=windows#uiwebview-deprecation-and-app-store-rejection-itms-90809

Which is mentioned here #1241

I haven't submitted anything to Apple yet - but had everything working using my own SFSafariViewController implementation. The WebAuthenticator from Essentials is amazing makes integration so simple - however I still need my own SFSafariViewController implementation as well for the logout part which is a pain. If the Browser implemented the Close command for SFSafariViewController, it would make life so much simpler.

[hiraldesai]

The rejection happened months ago and it was an older Xamarin.Forms verison - so it must have been linked to that deprecation only. I wasn't aware that Browser APIs had internally started using SFSafariViewController now, so you should be fine.

When I get a chance I'd also like to rip off all of that custom stuff and use WebAuthenticator from Essentials.

[samt1925]

I submitted an app update to iOS which was rejected when I used Browser calls to do OAuth. I ended up doing something like this based on the example @jamesmontemagno had shared in #763. I haven't had a chance to explore the new authentication extension from Xamarin.Essentials yet but my custom implementation did this.

Login call in app

                try
                {
                    var authResult = await DependencyService.Get<IAuthenticator>().AuthenticateAsync(new Uri("yourappuri://"), new Uri("url-to-oatuth-provider"));
                    if (authResult != null)
                    {
                        // Store auth result token and user account info to device
                    }
                }
                catch (Exception ex) when (ex is TaskCanceledException || ex is OperationCanceledException)
                {
                    // Intentional - user closed browser
                }

Logout call in app

            try
            {
                await DependencyService.Get<IAuthenticator>().LogoutAsync(new Uri("yourappuri://"), new Uri("url-to-oatuth-provider"));
            }
            catch (Exception ex) when (ex is TaskCanceledException || ex is OperationCanceledException)
            {
                // Intentional - user closed browser
            }

Shared IAuthenticator interface

    public interface IAuthenticator
    {
        Task<AuthResult> AuthenticateAsync(Uri appCallbackUri, Uri uri);
        Task LogoutAsync(Uri appCallbackUri, Uri uri);
    }

Custom AuthResult that extracts oAuth response into what your app needs

    public class AuthResult
    {
        public ApiToken ApiToken { get; set; }
        public UserAccount UserAccount { get; set; }
        public bool IsAuthenticated { get; set; }
    }

I then have separate IAuthenticator implementations for each platform that uses CustomTabsActivityManager for Android, SFSafariViewController for iOS and WebAuthenticationBroker for UWP to give me full control of the views presented to the user.

To answer your question @Lydecker - the iOS implementation for IAuthenticator would then have a static UIViewController that holds reference to your SFSafariViewController opened by the AuthenticateAsync or LogoutAsync calls from the app. Then the OpenUrl calls from the AppDelegate would call DismissViewControllerAsync on that SFSafariViewController to close the auth/logout session.

What should i do on server side to log off? I just don't want to open new view for logout. My WebAuthenticator always skip login page if i already enter info and give me same token for user. Im just need to open login form for a new user. Please help.