Enable WebAuth Logout for Android & Fix iOS Logout.

[lbalmaceda]

Changes

This PR enables the clear session feature for Android and fixes it for iOS.

When this is merged, it will always send the client_id and the returnTo parameters when opening the Auth0 logout URL.

Devs would need to whitelist the returnTo URL in the "Allowed Logout URLs" section of their application's settings in the Auth0 dashboard. Fail to do so will show an error page when the redirect is attempted.

Sample usage:

auth0.webAuth
   .clearSession({})
   .then(success => {
       //Logged out!
    })
    .catch(error => {
       //Browser closed by the user.
     });

Breaking changes?

At first, seems to only affect iOS only (because Android was disabled!). But if we look deeper, the current behavior is to open the logout URL without passing any returnTo nor clientId values. Testing this in an iOS simulator resulted in a browser showing the text "OK" and not redirecting back to the app. So even if the log out was successful, I had to manually close the browser in order to get back to the app.

With the changes introduced in this PR, users will either face the "URL not whitelisted" screen when there's a dashboard configuration error or return successfully to the app after logging out.

Current iOS behavior:

http://recordit.co/TQqX1AyApp

iOS behavior after this PR:

http://recordit.co/gWa1dlR8Zp

Android behavior after this PR:

http://recordit.co/GcPBbvQeNh

Testing

• This change adds unit test coverage
• This change has been tested on the latest version of the platform/language or why not

Checklist

• I have read the Auth0 general contribution guidelines
• All existing and new tests complete without errors
• All active GitHub checks have passed

[stevehobbsdev]

LGTM

Quick question but why when you log out using iOS does the dialog say "..wants to use Auth0 to Sign In"? It's just a bit jarring.

[lbalmaceda]

@stevehobbsdev I think that's how iOS behaves when trying to open a link from the app. @cocojoe can you clarify that, please?

[damieng]

Force-merging as codecov is having issues again.

[bneigher]

@cocojoe @lbalmaceda
Guys, the "..wants to use Auth0 to Sign In" when using clearSession is preventing me from using the method. It's really weird to see that when a user chooses to logout.
Is there something I am missing that needs to be set up to skip that dialog?

A shot in the dark - but is there any way to clear any previous sessions (or do whatever clearSession does with your services) whenever a user attempts to login? (Or provide it as a flag to authorize) That way at least the web navigation permission dialog only shows up when you're attempting to log in. I don't see what side effects could possibly occur by doing this - and it makes for a way better UX.

[cocojoe]

@bneigher Although I totally agree it isn't the most beautiful experience. This behaviour is part of Apple's functionality for the recommended way to implement Auth flow, the only way to clear the cookies is by using the same flow so the correct cookie jar is used. So the dialog will be presented and there is no way to disable it.

However, be great for you to feedback on this at https://auth0.com/feedback