Search code examples
iosiphoneios8adal

How to LogOut from iOS ADAL Authentication?

I have integrated ADAL library into my iOS application and it's working fine. But now I want to log out from ADAL. How can I do log out?

Solution

  • There are two places where sign-in state is stored when using an ADAL interactive flow. The first is the token cache that is entirely in the control of the app. Calling [authContext.tokenCacheStore removeAllWithError:&error] is a good way to clear all cached tokens and stop ADAL from being able to login without launching the browser at all.

    However, sign-in state is also tracked by the server in browser cookies. The server will remember that a user was signed-in to the server until the cookie times out or is removed. When ADAL checks the cache and doesn't find a suitable token it will launch the webView. The server will find a cookie and then silently sign the user in. Browser cookies are largely hidden from ADAL. The ADAL library could potentially provide a sign-out function that clears all cookies, but this would have side effects if the app was depending on other cookies for some reason.

    There are a couple of ways of working around this. If you simply want to log out and you don't mind clearing all webView cookies then after you clear the cache, clear out all browser cookies as described here:

    How to delete all cookies of UIWebView?

    That's the nuclear option. Another, more subtle option, is to clear the cache and then use the AD_PROMPT_ALWAYS value in a call to aquireToken that takes an ADPromptBehavior parameter. When you use AD_PROMPT_ALWAYS a flag is sent to AAD that causes it to ignore the cookies and surface a fresh prompt to the user. This leaves the cookies in place so technically the user is not actually signed out. To the user, it appears that they were signed out and have the ability to sign in again later. When they sign in again they can choose a different user if they prefer.

    This is also the way you would handle sign-in with multiple users. In the case where you already have a user signed in, but want add another, do not clear the cache and pass AD_PROMPT_ALWAYS on the next call to acquireToken. The server will surface a fresh sign-in prompt and return a new token. That token will be stored in that ADAL cache. You get the a token for a particular user by calling acquireToken and passing a userId.