IBM Bluemix MobileFirst log out functionality

Question

We have developed an app where we need to allow the user to log out, and log in with a different user. The app works fine once a user is logged in (we get token from bluemix) and the token handling is working. The problem arises when we try to implement a log out functionality. According to documentation we have tried to use:

AuthorizationManager.getInstance().clearAuthorizationData();

According to the documentation this should remove everything to do with authorization. It is not doing what we expect it to do. When we try to log in again it simply refreshes the latest token, instead of trying to get a new one. The only way to log in again is by removing all data from the app. This approach is not very good for us since we have an extensive cache that we wish to not have to remove.

Is this a bug from bluemix or are we missing something (other way to remove the token and force it to fetch new one).

Answer 1

Logging out of the MCA service is not currently supported. Through the authentication process, an authorizationHeader is generated and then used in outbound requests. If you attempt to access a protected resource and do not have a valid authorizationHeader, then the authentication process will begin again.

As you stated above, it is not possible to require re-authentication unless this authorizatiohHeader expires or you remove it from the device (not a recommended practice). The function clearAuthorizationData does not accomplish removing this authorizationHeader as you might have expected. I will work with the documentation team to make sure it is clear. I would recommend protecting any valuable resources/and or endpoints with MCA in order to ensure proper security.