Kinvey's Mobile Identity Connect provides a way for logging in to a mobile application via a third-party authentication provider. The entrypoint is a function/method named "loginWithAuthorizationCodeLoginPage" (Android), "presentMICViewController" (iOS), or "loginWithMIC" (Xamarin/javascript). What this will accomplish is two-fold: First, the mobile device will store a SSO token, typically as a cookie through a webview to the embedded browser (specifics differ slightly per Kinvey SDK). Second, a login to Kinvey to acquire a Kinvey session token will take place.
The Kinvey logout call as provided with Kinvey SDK's will log out the Kinvey session only. This is typically the desired behavior since the idP's login might be shared by several applications on the mobile device. For instance, if MIC is implemented against Salesforce, there might be other mobile apps wanting to leverage the existing SFDC cookies. But in some cases, this is not desired.
In order to log out both Kinvey and the 3rd-party identity provider, the application must call both logout functions. This could be implemented by triggering two actions on the "logout" button click:
1. Call the Kinvey SDK logout call: Kinvey.ActiveUser.logout() (specific syntax differs per SDK)
2. Open a URL to go to the idP's particular "sso logout" url. This will typically open up a webview. Some idP's also offer a redirect back to the app, in which case you case use the same redirect URI that you use for login (e.g. "myApp://").
Here are the logout urls for some common idP's that Kinvey customers often integrate with:
-
Azure: https://login.windows.net/common/wsfederation?wa=wsignout1.0
- (note: this might globally log out all sessions for that user)
-
OKTA: (guide) call "/oauth2/v1/logout?id_token_hint=myidtoken&post_logout_redirect_uri=myApp://"
- (note: for "myidtoken", you can use the MIC config to pass Allowed Attribute "id_token" to your User Record on the client)
-
Salesforce: () call "$instance_url/secur/logout.jsp"
- (note: for "instance_url", you can use the MIC config to pass Allowed Attribute "instance_url" to your User Record on the client)