How to do a secure logout with Auth0 using Flutter?

Question

I have followed this article on how to get started with using Auth0 in Flutter.

The author writes: "...a complete secure logout is beyond the scope of this article".

The logout method from the article is this:

void logoutAction() async {
await secureStorage.delete(key: 'refresh_token');
setState(() {
  isLoggedIn = false;
  isBusy = false;
});

}

I removes the refresh_token from secure storage on the device. Now, I want to be able to do a more complete logout where that user will have to do a full login again with username and password. Currently, the user can log in without typing username and password which I think is due to the access token being saved somewhere. If, this is due to the access token, How can I delete this access token from browser cookies or wherever it is being stored?

One way to avoid storing the access token is to add promptValues: ['login] to the login method. The problem with this is that the user will have to login every time, therefore completely removing the benefits from the stored access token. So again, I want the user to be able to do a "complete" logout where the access token is cleared from cookies.

Future<void> loginAction() async {
setState(() {
  isBusy = true;
  errorMessage = '';
});

try {
  final AuthorizationTokenResponse result =
      await appAuth.authorizeAndExchangeCode(
    AuthorizationTokenRequest(
      AUTH0_CLIENT_ID,
      AUTH0_REDIRECT_URI,
      issuer: 'https://$AUTH0_DOMAIN',
      scopes: ['openid', 'profile', 'offline_access'],
      // promptValues: ['login']
    ),
  );

  final idToken = parseIdToken(result.idToken);
  final profile = await getUserDetails(result.accessToken);

  await secureStorage.write(
      key: 'refresh_token', value: result.refreshToken);

  setState(() {
    isBusy = false;
    isLoggedIn = true;
    name = idToken['name'];
    picture = profile['picture'];
  });
} catch (e, s) {
  print('login error: $e - stack: $s');

  setState(() {
    isBusy = false;
    isLoggedIn = false;
    errorMessage = e.toString();
  });
}

}

Auth0 has a logout url, but it doesn't seem to work... https://auth0.com/docs/api/authentication#logout — mwilson, Apr 19 '22 at 02:54

score 0 · Answer 1 · answered Mar 03 '21 at 17:34

0

just uncomment the line in method loginAction():

// promptValues: ['login']

answered Mar 03 '21 at 17:34

John Emerson

19
1

1

This is not viable as I state in the answer "The problem with this is that the user will have to login every time, therefore completely removing the benefits from the stored access token." – Daniel Mar 05 '21 at 07:33

score 0 · Answer 2 · answered Jun 04 '21 at 14:17

my solution was to analyse the logout function given in the article.

Previously Auth0 seemed to send a refresh token when calling

appAuth.token

but it's not the case anymore, so i commented the following code

await secureStorage.write(6
      key: 'refresh_token', value:response.refreshtoken);

now if the user is logged in, the flutter app has the refresh token available to call appAuth.token, if he's logged out the token was deleted.

How to do a secure logout with Auth0 using Flutter?

2 Answers2