Clear User Session on iOS

Is there a way to forcefully log out the user in Okta using OktaAuthSdk in iOS? What is the recommended way to end a user session mobile side?

Is this also an OIDC application, or are you just creating an Okta session with the auth SDK?

If this is an OIDC application, our OIDC SDK’s signOutOfOkta method uses the /logout endpoint to remove the user’s session from their browser.

Actually, the session is created with OktaAuthSdk authenticate method. Not using OIDC.

OktaAuthSdk.authenticate(with: <#T##URL#>, username: <#T##String#>, password: <#T##String?#>, onStatusChange: <#T##(OktaAuthStatus) → Void#>, onError: <#T##(OktaError) → Void#>)

@chrishan If you are using OktaAuthSDK, did you try to use the method closeSession()?
You can refer the doc herehttps://github.com/okta/okta-auth-js#closesession .

2 Likes

@Lijia , the question is concerning the iOS SDK. The link you provide for closeSession() is for the Okta JavaScript Library. I’ve got an Android app as well as iOS app and I’m able to clear the session client with Android, but not with iOS

There’s a clear() method for the -okta-oidc-ios SDK, which will clear the local session

Sure is… but it only clears the stored cached tokens from OIDC and not the actual client session from OktaAuthSdk as the original author asked. From the documentation…

Removes the local authentication state by removing cached tokens in the keychain.

When our system got upgraded to OIE, a Logout and clear of the tokens didn’t clear the user out from the current session. If the user logged out and then tried to login again, the Okta Auth state remembered the session and bypassed MFA allowing them in because session didn’t clear…

Partnering with Okta support, we actually have to do the following to clear the iOS active session to fully log the person out:

let storage = HTTPCookieStorage.shared
if let cookie = storage.cookies?.filter({ $0.name == "idx"}).first {
    storage.deleteCookie(cookie)
}