How to log out an user using Auth0

Question

I have been working on integrating Auth0 with my application. When I click on Sign-In, the auth0 redirects me to the login URL which was provided. After successfully logging in, I will head back to another ViewController. In that view controller I have a sign out button which redirects me to the sign in page. Now when I again click on sign in, it does not ask the credentials to login and takes me to the ViewController, because the auth0 stores the cache data of the user logged in. But when I click on sign out button, I want the auth0 to remove the cache data, because I want the user to redirect to the login page where the user should enter the credentials every time when he logs in. Is it possible to that?

func signIn() {
        print("Sign In")

        guard let clientInfo = plistValues(bundle: Bundle.main) else { return }
        Auth0
            .webAuth()
            .scope("openid profile")
            .audience("https://" + clientInfo.domain + "/userinfo")
            .start {
                switch $0 {
                case .failure(let error):
                    print("Error: \(error)")
                case .success(let credentials):
                    if let accessToken = credentials.accessToken, let refreshToken = credentials.refreshToken, let idToken = credentials.idToken {
                        UserDefaults.standard.setValue(accessToken, forKeyPath: "accessToken")
                        UserDefaults.standard.setValue(refreshToken, forKeyPath: "refreshToken")
                        UserDefaults.standard.setValue(idToken, forKeyPath: "idToken")

                        let loadingAlert = UIAlertController.customAlert(title: "Success", message: accessToken)
                        loadingAlert.presentInViewController(self)
                    }

                    if (!SessionController.shared.store(credentials: credentials)) {
                        print("Failed to store credentials")
                    }
                    else {
                        SessionController.shared.retrieveProfile { error in
                            DispatchQueue.main.async {
                                guard error == nil else {
                                    print("Failed to retrieve profile: \(String(describing: error))")
                                    return self.signIn()
                                }

                                let storyBoard = UIStoryboard(name: "Main", bundle: nil)
                                let vc = storyBoard.instantiateViewController(withIdentifier: "profileViewController") as! ProfileViewController
                                self.present(vc, animated: true, completion: nil)
                            }
                        }
                    }
                }
        }
    }

    @IBAction func btnActionSignOut(_ sender: UIButton) {

        let alertController = UIAlertController(title: AppSettings.shared.appName, message: "Are you sure you want to logout?", preferredStyle: .alert)
        let okAction = UIAlertAction(title: "Yes", style: .default) { (action:UIAlertAction) in
            // Clear access tokens and logout user.
            UserDefaults.standard.setValue(nil, forKeyPath: "accessToken")
            UserDefaults.standard.setValue(nil, forKeyPath: "refreshToken")
            UserDefaults.standard.setValue(nil, forKeyPath: "idToken")

            _ = SessionController.shared.logout()
            self.dismiss(animated: true, completion: nil)
        }
        let noAction = UIAlertAction(title: "No", style: .default) { (action:UIAlertAction) in
            // Do nothing. Alert dismissed.
        }
        alertController.addAction(okAction)
        alertController.addAction(noAction)
        self.present(alertController, animated: true, completion: nil)
    }

I expect the session manager to clear the stored data and show me the login screen, but instead I'm allowed to sign in again without any credentials.

Answer 1

It looks like for logout you are clearing the tokens from the device but not actually redirecting user to the Auth0 Logout endpoint https://YOUR_DOMAIN/v2/logout.

You would need to redirect user to logout to ensure the Auth0 user session and optionally the Identity Provider session (With federated query parameter option) are cleared as well if you are seeking a true logout with re-authentication of user.

Reason you are getting logged in again is probably because of Seamless SSO, Auth0 detects user still has a valid session on that browser so they log the user in without requiring credentials. The only way to remove the Auth0 cookie on that browser is by redirecting them to the Logout API above.