I have followed this article on how to get started with using Auth0 in Flutter.
The author writes: "...a complete secure logout is beyond the scope of this article".
The logout method from the article is this:
void logoutAction() async { await secureStorage.delete(key: 'refresh_token'); setState(() { isLoggedIn = false; isBusy = false; }); }
I removes the refresh_token from secure storage on the device. Now, I want to be able to do a more complete logout where that user will have to do a full login again with username and password. Currently, the user can log in without typing username and password which I think is due to the access token being saved somewhere. If, this is due to the access token, How can I delete this access token from browser cookies or wherever it is being stored?
One way to avoid storing the access token is to add promptValues: ['login] to the login method. The problem with this is that the user will have to login every time, therefore completely removing the benefits from the stored access token. So again, I want the user to be able to do a "complete" logout where the access token is cleared from cookies.
Future<void> loginAction() async { setState(() { isBusy = true; errorMessage = ''; }); try { final AuthorizationTokenResponse result = await appAuth.authorizeAndExchangeCode( AuthorizationTokenRequest( AUTH0_CLIENT_ID, AUTH0_REDIRECT_URI, issuer: 'https://$AUTH0_DOMAIN', scopes: ['openid', 'profile', 'offline_access'], // promptValues: ['login'] ), ); final idToken = parseIdToken(result.idToken); final profile = await getUserDetails(result.accessToken); await secureStorage.write( key: 'refresh_token', value: result.refreshToken); setState(() { isBusy = false; isLoggedIn = true; name = idToken['name']; picture = profile['picture']; }); } catch (e, s) { print('login error: $e - stack: $s'); setState(() { isBusy = false; isLoggedIn = false; errorMessage = e.toString(); }); } }
