Logout of Apple Sign In about dart_packages HOT 31 OPEN

A suggestion would be maybe to amend the example app with code that shows how to perform (i) logout, and (ii) the daily re-validation procedure required by Apple using the Glitch example server.

from dart_packages.

Running into the same issue as @davidAg9 attempting to implement a 'revoke token' flow on user account deletion.

The issue we're running in to is:

1. Delete a user account and make a request to apple to revoke the access token (server side).
2. Then, in the flutter app, tap the 'Sign in with Apple' button.
3. The apple auth dialog does not appear. Instead, the AuthorizationCredentialAppleID credential is re-used and the access token associated with the deleted user is sent to the server for authentication.
4. Since the access token's been revoked, the authentication request to Apple returns a 400 error: {'error': 'invalid_grant', 'error_description': 'The code has expired or has been revoked.'}.

A fix would be to add signOut() function so the user has the ability to select a different account or so we can generate a new access token. The GoogleSignIn package offers a signOut() method that I use for the same purpose.

from dart_packages.

Hey @gerryau,

the usual flow would be that a session is created in "your backend" system when the user provides the data from Apple (the backend then validates this data with Apple's servers and either creates a new account or log the client into an existing one).

So the logout would happen like any logout in your system. You'd remove the users session from the storage (and at the same time stop the daily polling to Apple's servers if the user is still active, if you had that implemented).

Or do you use the credential in a different way, that wouldn't allow for this flow?

From you backend system's point of view, it's important to not trust the incoming credential data outright, but only after validating it with Apple's servers.

Please let me know where you think would be a good spot to add this into the documentation – we'd be happy to improve it.

from dart_packages.

How, can I delete the saved user credentials on iOS? I want to switch from real mail to anonymous mail, but every time I start the process again, I can't change my name or mail. A logout function for "apple sign in" (on the client) would be very helpful.

from dart_packages.

the authentication reference is not removed from apple and there is this user decides to register once again with said example app ,app will not be able to retrieve name and email as apple releases this only once .So best solution is to create an archive in the database to store deleted users

@davidAg9 Are you sure this holds true even when you call the revoke_tokens endpoint?

To me that sounds like it could be have the same way as if the user logs out of "your app" from their Apple ID settings.

Thus when the user logs in again, you'll receive new tokens and likely the e-mail address & name (which they have then chosen).

I have no practical experience with account deletion, but it just seems to me that Apple wouldn't force you to support account deletion, while at the same time having a flow which would require you to keep e.g. the e-mail address. That would just utterly defeat the purpose of the whole requirement, no?

from dart_packages.

@uc-dve this is not a bug ticket and this shouldn’t stop you from releasing.

The code which needs be written to implement a logout functionality is on your server and not in this plugin.

The ticket here is only about adding documentation, maybe extending the example with it.

from dart_packages.

Thanks for your quick response.
But I have a doubt, if we want to use another apple-id for sign-in, then how can we reset it through the app as it do not provide any option once we use an Id.

from dart_packages.

@uc-dve that's why you need to implement a logout functionality in your app and server. After logging out, you can login with a different Apple ID.

Note that on iOS the only Apple ID that you can log in with is the primary one on the device.

from dart_packages.

Please provide an example for logout and how to remove session from this server.
When doing sign in, getting session as Instance of 'Response'.

from dart_packages.

@neha-madhini as we don't provide a full server implementation example, there is no point in providing an example regarding the logout.

The only important thing to do is to log out the user from our server, e.g. clearing the session in your database.
Because this is highly specific to the stack and technologies someone is using, providing an example that would work for everyone is practically impossible.

from dart_packages.

@davidAg9 no, you should delete all data connected to the account unless it's not allowed due to legal reasons.

If they register again with your App, the user should receive a new account that is not connected to the old one.

from dart_packages.

So, there's no quick way to revoke credentials like over providers's packages do (e.g. google, facebook, etc.)?

Apple logout should be quickly performed with something like await AppleSignIn.signout(). I don't quite understand why this shouldn't be a thing on this package.

from dart_packages.

Kindly provide this as its very important part of a secure app. We are unable to release our projects due to this bug. Or if any ETA can be provided that would be very helpful. Thanks

from dart_packages.

What about if user will log out from apple in device settings - iPhone? So how we can listen it in the app?

from dart_packages.

@tim-teacher there is the getCredentialState for checking the state of the authentication on the client.

from dart_packages.

@mars3142 you will need to revoke your apps permission here: https://appleid.apple.com/account/manage

from dart_packages.

apple announced that any app registering a user should give options for deletions , This mean once a user opts out my backend should be able to purge all related records for the user, including signing records , so first , I assume this packages calls native apis , and towards that end I want to ask if there is a functionality for sign out with apple and if that is the case , this plugin should support , preferably before 30 June. Thank you . Any further explanation is welcomed
Refference to the announcement -
Apple account deletion requirement

from dart_packages.

@davidAg9, as stated previously, a logout needs to happen only on your server, and this is nothing where native APIs are called.

The most important part there is to clear sessions in your DB and revoke any tokens that the BE created with this endpoint: https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens

And since this endpoint requires your client's secret, it should only be called from your BE and never from the client.

from dart_packages.

Which means as a safeguard ,we have to keep user records if after they have deleted their accounts, so if they ever want to register we just reference the old account record .since when using apple's authentication the username and email is given only once unless the user has removed sign-in with apple from the app itself .

from dart_packages.

Apple stores a references of the apps that have signed in using its authentication services at appleid.apple.com
You can login to yours and have at a look at all the apps you've signed in ever ...This ultimately means when a hypothetical user deleted his account from an example app ;the authentication reference is not removed from apple and there is this user decides to register once again with said example app ,app will not be able to retrieve name and email as apple releases this only once .So best solution is to create an archive in the database to store deleted users

from dart_packages.

So I am still thinking through the best way to deal with account deletion with apple authentication service i.e signinwithapple

from dart_packages.

With the revoke tokens you endpoint ,I am asking if it cannot be added this package use in a wrapper that implements it

from dart_packages.

And thank you for making me aware of the end point tho,cheers

from dart_packages.

I am using giltch , how i logout , I using flutter

from dart_packages.

the authentication reference is not removed from apple and there is this user decides to register once again with said example app ,app will not be able to retrieve name and email as apple releases this only once .So best solution is to create an archive in the database to store deleted users

@davidAg9 Are you sure this holds true even when you call the revoke_tokens endpoint?

To me that sounds like it could be have the same way as if the user logs out of "your app" from their Apple ID settings.

Thus when the user logs in again, you'll receive new tokens and likely the e-mail address & name (which they have then chosen).

I have no practical experience with account deletion, but it just seems to me that Apple wouldn't force you to support account deletion, while at the same time having a flow which would require you to keep e.g. the e-mail address. That would just utterly defeat the purpose of the whole requirement, no?

hello again , apple requires that the account deletion directive should be able to remove all information of the user , which can be done ,but the problem of if the user happens to come back he cannot sign in the usual way with apple sign in because apple will not give us the names and email again if requested since the is still an association of the app itself to apples Sign In with Apple service ....The endpoint you mentioned doesn't seem to affect or remove that association...there for apple assumes still that the user has just logged out. @tp

from dart_packages.

Following my above comment , endpoint you specified where we are to provide a client id to the ....firbase generates its own and apple generates in own during the signing process which are we to save and use

from dart_packages.

Running into the same issue as @davidAg9 attempting to implement a 'revoke token' flow on user account deletion.

The issue we're running in to is:

1. Delete a user account and make a request to apple to revoke the access token (server side).
2. Then, in the flutter app, tap the 'Sign in with Apple' button.
3. The apple auth dialog does not appear. Instead, the AuthorizationCredentialAppleID credential is re-used and the access token associated with the deleted user is sent to the server for authentication.
4. Since the access token's been revoked, the authentication request to Apple returns a 400 error: {'error': 'invalid_grant', 'error_description': 'The code has expired or has been revoked.'}.

A fix would be to add signOut() function so the user has the ability to select a different account or so we can generate a new access token. The GoogleSignIn package offers a signOut() method that I use for the same purpose.

I have found a solution and well not the wrapper we wanted ,but it will let you implement yours easily. see link

from dart_packages.

@davidAg9 Apples client side APIs don't offer a signOut function, so we also can't add one to this package.

We will also provide no APIs for the revoke token function within this package since under no circumstances should this API be called from the client side.

Apple should remove the connection to your App when the revoke token endpoint has been called and upon a new login you should get the user information again.
I will test this tomorrow again myself but afaik our own QA did check this and for them, this worked.

from dart_packages.

@HenriBeck

Running into the same issue as @davidAg9 attempting to implement a 'revoke token' flow on user account deletion.
The issue we're running in to is:

1. Delete a user account and make a request to apple to revoke the access token (server side).
2. Then, in the flutter app, tap the 'Sign in with Apple' button.
3. The apple auth dialog does not appear. Instead, the AuthorizationCredentialAppleID credential is re-used and the access token associated with the deleted user is sent to the server for authentication.
4. Since the access token's been revoked, the authentication request to Apple returns a 400 error: {'error': 'invalid_grant', 'error_description': 'The code has expired or has been revoked.'}.

A fix would be to add signOut() function so the user has the ability to select a different account or so we can generate a new access token. The GoogleSignIn package offers a signOut() method that I use for the same purpose.

I have found a solution and well not the wrapper we wanted ,but it will let you implement yours easily. see link

I have already implemented the sign out feature apple require and I have shared the solution above

from dart_packages.

getting null in subsequent sign-ins in flutter using this package as well as there is no signout option, Apple just provide credentail for the first time but not subsequently, Please help me

from dart_packages.

Maybe we can delete the credentials from the local keychain? I dont have too much experience with apple, but it looks like the session is persisted on the device until I completely reset the simulator

from dart_packages.