Remove Cached Google Login Credentials

[popwarfour]

Describe the bug

I'm not so sure this is a bug or user error but its certainly odd behavior IMO (see reproduction steps).

How can I logout the user such that when they attempt to re-signin via the same federated source it does not automatically select their previous account?

Steps To Reproduce

Steps to reproduce the behavior:
1. Click button to begin Federated signin with Google (using non-private config)
2. Within webview, select your account and complete the google authentication
3. You are fully authenticated and using the app.
4. Click the button to signout.
5. Attempt to re-login with the same google option.
6. **Issue: The google webview pops up briefly but immediately disappears. You are given no chance to select a google account. It has auto-select your last choice from step 1**.

Expected behavior

When the google auth webview pops up you should be given a chance to select any of your google accounts.

Amplify Framework Version

2.28.0

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

5.9

CLI version

12.10.3

Xcode version

15.2

Relevant log output

<details>
<summary>Log Messages</summary>


INSERT LOG MESSAGES HERE

```

Is this a regression?

Yes

Regression additional context

No response

Platforms

iOS

OS Version

17.2

Device

iPhone 15

Specific to simulators

No response

Additional context

No response

[popwarfour]

I dug a bit further and I can provide some more context to help you answer my question. TLDR: Logout deletes the keychain keys via CredentialStoreDataType.amplifyCredentials but login looks via asfDeviceId which has not been deleted. I believe we need to delete asfDeviceId for this to properly work.

When I call await Amplify.Auth.signOut() I can see ClearCredentialStore getting hit with the CredentialStoreDataType.amplifyCredentials option. Looking deeper into KeychainStore I can see the SecItemDelete query of,

Printing description of query:
▿ 4 elements
  ▿ 0 : 2 elements
    - key : "nleg"
    ▿ value : Optional<CFBooleanRef>
      - some : 1
  ▿ 1 : 2 elements
    - key : "acct"
    - value : "<MY_SESSION>"
  ▿ 2 : 2 elements
    - key : "svce"
    - value : "com.amplify.awsCognitoAuthPlugin"
  ▿ 3 : 2 elements
    - key : "class"
    - value : "genp"

However, the next time when I call Amplify.Auth.signInWithWebUI(...) I can see within the depths of the auth state machine its attempting to load the credentials via the asdDeviceId which I've confirmed through my own KeyChain query was not deleted.

Printing description of resolution:
▿ StateResolution<CredentialStoreState>
  ▿ newState : {
    "CredentialStoreState.success" =     {
        savedData = "AWSCognitoAuthPlugin.CredentialStoreData.asfDeviceId(<MY_DEVICE_ID>, \"unknown\")";
    };
}
    ▿ success : CredentialStoreData
      ▿ asfDeviceId : 2 elements
        - .0 : <MY_DEVICE_ID>
        - .1 : "unknown"
  ▿ actions : 1 element
    ▿ 0 : ["identifier": "IdleCredentialStore"]
      - identifier : "IdleCredentialStore"

Is this a logic bug or user error?

[harsh62]

@popwarfour Thanks for your details query and analysis.

1. signOut only signs out from Cognito and not the IdP. Think of it like this, the user is logging out of your app and not google. You can try using the preferPrivateSession option (which has its on pros and cons).

try await Amplify.Auth.signInWithWebUI(
    presentationAnchor: self.view.window!,
    options: .preferPrivateSession()
) {
    ...
}

2. The device metadata persisted is by design, used for certain cognito features in a multi user scenario.

[popwarfour]

Thank you @harsh62 for getting back so quickly. Unfortunately, preferPrivateSession is a non-starter since it imposes unnecessary friction to our users. We actually ran with that option for a little bit and found an enormous hit to our customer acquisition metrics.

What other options do we have? We can't be the only ones requesting this behavior so I'm sure its been solved.

Could our backend expose an endpoint that manually logs out of the IdP in parallel with the regular Amplify.Auth.signOut() calls or do you think that would be going down the wrong path? If that is a valid solution, do you know if the cached asfDeviceId in keychain be an issue or should the statemachine logic resolve all that?

[harsh62]

The cached asfDeviceId in keychain is definitely not an issue. Logging out IdP is not something that is supported by Amplify Swift.

I would suggest to be mindful and make sure that this is clearly what you want. Because if you look at the other way around, I can log out of all of my Google accounts and still be logged into your app. Once your app knows who the user is, that person can log out of Google. Google is no longer needed.

However, it's crucial to consider the ramifications of logging a user out of a IdP. Imagine the inconvenience for users who utilize their Google account across multiple apps. Should they be forced to reauthenticate with Google each time they log out of one of your apps? Such an approach risks user frustration and fatigue.

Finally if you still decide you want to do it, as a workaround try setting up the IdP as SAML or OIDC provider in the cognito console and enable IdP sign out flow. I would suggest to read up Cognito Documentation to get better understanding on how it works.

There could possibly be other workarounds that you can explore, i.e. building your own custom logout workflow, which upon successful log out could redirect to the IdP log out flow.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.