How to perform logout of user after sign-in?

[sivaprasadnk]

Documentation only says about revoking credentials, but nothing about signing out users

[martin-braun]

Here is the fundamental problem with Apple and their stupid API:

I believe there is no sign-out, plus the user will not be signed out when removing the app. Even if we can properly sign out, which I want to see, the user won't be signed out when he/she uninstalls the app.

Now he/she installs the app again, tries to sign-in, but there is already an Apple Sign-In user session. Thanks to brilliant Apple engineers who are incapable to think forward, Apple Sign-In will only return the user ID.

You don't get the users email, you don't get the users password. You can either error and instruct the user to remove the session, but this will not work, unless the user also restarts their device. Thanks Apple.

You can also try to recover the session with your backend, but this can only work, if you stored their generated user id ... in clear text, which gives your app a nice brute force attack vector, because it's only one input with a clear format, such as 000011.9134c48e58484ad52299cb393541aa78.1781, so you also have to rate limit your login endpoint. It's so great.

At least the user id is unique per development team, but yeah, Apple sucks!

If there is a way to sign out the user via user ID, we could just sign the user out and force him/her to sign in with a new session, so we can always receive the email and name, like it should be in the first place.

[Finni123]

@martin-braun I feel your pain, developing for Apple is SUCH a nightmare in so many ways.

[jpetro416]

Just use this if you're leveraging firebase auth:
await auth.FirebaseAuth.instance.signOut();

[martin-braun]

@jpetro416 That won't really sign you out of Apple though.

[jpetro416]

@jpetro416 That won't really sign you out of Apple though.

Right but it will help you change users in your app. Also if someone is using an iphone, they can't login with another user anyways

[martin-braun]

@jpetro416 The whole point of rightfully signing out the user from Apple is Apple's stupid session management. If you go to appleid.apple.com you can still see how the account is still signed into your app, even when the Firebase account is logged out. Once you find your user into this situation, he/she is unable to re-sign into your app, because your app won't receive any email anymore, until he/she removed the session in the apple settings (or at appleid.apple.com) and restarted his/her device. It's a huge problem that I as well had and Apple would not approve my app, because it was happening to them and even their staff wasn't able to remove their session in their own settings app in the beginning.

Eventually, I had to program around that. I had to store their UserID in some way and link it to the account, securely, which is challenging, because it's essentially like storing a clear password in the database. Once the user re-signs without deleting their session prior, I will only get the UserID from Apple, but since I have stored it, I can now recover the session. I went out of my way explaining everything to them and eventually they followed my advice, started from a fresh session, so the issue would not occur anymore to them.

Note that even if this plugin would provide a proper sign-out, the problem wouldn't be fixed, because what if the user just uninstalls the app after signing in and later reinstalls the app and tries to re-sign? Right, the session still will be there on Apple's end and you still will just receive the UserID. You will soon have to deal with the same mess and my piece of advice to you is to deal with it soon BEFORE sending in your app for review.

[junpark-mofin]

It still drives me crazy. Even after I got the revocation email from Apple(By revoking with SIWA API in the server), the revoked account is still signed in on my app. The app is removed in the list of "Sign in with Apple" though...

To start new sign in process, I had to do "Erase All Contents and Settings" in Settings.... Then what's the meaning of revoking?

Oh... I think it only happens in Simulator. I tried same thing on real device and it started from the new sign in step right after revocation by server!

[Digvijaysinh2204]

I have created a plugin for this problem, you should try it once and use in real device
Link : https://pub.dev/packages/apple_sign_in_plugin

[martin-braun]

@Digvijaysinh2204 Bless you.

Automatically handles the revocation and regeneration of access tokens. This process is crucial to maintain access to user data across sessions. If the access token is not revoked after the initial login, user information like email and name may become null in subsequent logins. The package automates this process to prevent such issues.

So there is a way to revoke the access token to have it send a full response on continuing logins, giving you the ability to circumvent the problem?

That's clever, but it also means the session will never appear on appleid.apple.com, right?

[Digvijaysinh2204]

@martin-braun Yes, every time the apple_sign_in_plugin revokes and regenerates the token, the previous session ends, and a new one starts. This causes the user to be logged out after each session, and each login creates a new session, ensuring you always receive a full response with complete user information.