This is a classic Q I get pretty often – it’s time to get a post out and start replying by reference instead of by value Smile

The issue at hand is how to fully “sign out” (whatever that means for a native app) a user from a Windows Store client.

The actual user session is determined by two different components: the token cache (under ADAL’s control, see this) and any session tracking cookies that might be present in the system (not under ADAL’s control). As shown in the aforelinked post, you can easily take care of the token cache part. Clearing cookies is harder tho, Windows Store authentication takes place within the WebAuthenticationBroker – which has its own cookie jar that is separate and unreachable from your application code. The most robust approach there is not to create any persistent cookie (e.g. NOT clicking “remember me” during authentication. In fact, we should stop even showing it soon). However if you end up with such a cookie, the main way of getting rid of it is triggering a sign out form the same WebAuthenticationBroker – the server will take care of cleaning things up.

    string requestUrl = "https://login.windows.net/common/oauth2/logout";
    Task.Run(async () =>
    {
        try
        {
            await WebAuthenticationBroker.AuthenticateAsync(WebAuthenticationOptions.SilentMode, new Uri(requestUrl));
        }
        catch (Exception)
        {
            // timeout. That's expected
        }
    });
 

Leave a Reply

Your email address will not be published. Required fields are marked *