Refresh Token & Logout using azure-mobile-apps cordova client

Question

I'm developing mobile app using azure-mobile-apps cordova client. I followed this https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/ to get refresh tokens.

I'm sending id_token in header.

var token = window.localStorage.getItem("token");
var appUrl = https://Mobile****.azurewebsites.net;
var url = appUrl + "/.auth/refresh";
$http.get(url, {
    headers: {
        'X-ZUMO-AUTH': token
    }
})
.then(function(response) {
    console.log(response);
});

Response : 401 Unauthorized. IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier...

I compared my secret keys in Resource explorer and Tenant ->Application -> Keys.

Both are same. I also want to ask about logout, can we send same as above at this endpoint /.auth/logout.

Answer 1

To get the /.auth/refresh to work, like @mattchenderson mentioned in earlier post, please make sure client.currentUser.mobileServiceAuthenticationToken is passed in the X-ZUMO-AUTH header.

For log out, you can use logout function of build-in SDK. Please try the following code to log a user out of the Mobile App.

client.logout().then(function () {
    window.cookies.clear(function() {
        $state.go('index');
    });        
});

Note: the web view has stored the login info in cookies, and the next time you log in via the authentication provider, the browser will automatically read the cookies and finish the login flow. So please make sure the cookies are cleared when logging out. I used Phonegap-Cookies-Plugin to do this job. Please note that it works for both PhoneGap and Cordova.

Answer 2

The token submitted in the X-ZUMO-AUTH header should always be an App Service token, not the AAD ID token. This token would have been obtained using one of the client.login() methods from the Mobile Apps SDK. You can access this token from the client object (via client.currentUser.mobileServiceAuthenticationToken).