ASWebAuthenticationSession doesn't maintain your session itself, but it does use session stored in Safari. See this section in the docs:
If the user has already logged into the web service in Safari or other apps using ASWebAuthenticationSession, it’s possible to share the existing login information. The system presents the user with a dialog asking for consent to share login information. If the user cancels the alert, the session is canceled, and the completion handler is called with the error code ASWebAuthenticationSessionError.Code.canceledLogin.
So if you're authenticating to an OAuth service/app and that service maintains a user's session in Safari then you might see it auto-authenticate you without having to re-enter a username/password. This is only an issue if you want to support multiple logins for a single device - more likely to be an issue during your testing than in normal use (in my experience).
iOS let's users opt-out of the auto-login using previous session each time it tries to authenticate them with the previous session, but I'm not sure of an easy way to flush their session on behalf of them every time you try to do an OAuth from your app.
Thank you for your kind and detailed answer,
Indeed, maybe my wish to fully disconnect after logout is related to my dev role and I would find this annoying as a user.
I’m still curious if there is a possibility or if it’s intended in the design of ASWebAuthenticationSession
You could try prefersEphemeralWebBrowserSession, a new feature in iOS 13, to at least block your web view from sharing session with Safari and be a bit more explicit about making your user login. I'm not sure it speaks to your specific issue, but might be worth exploring.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
ASWebAuthenticationSessiondoesn't maintain your session itself, but it does use session stored in Safari. See this section in the docs:So if you're authenticating to an OAuth service/app and that service maintains a user's session in Safari then you might see it auto-authenticate you without having to re-enter a username/password. This is only an issue if you want to support multiple logins for a single device - more likely to be an issue during your testing than in normal use (in my experience).
iOS let's users opt-out of the auto-login using previous session each time it tries to authenticate them with the previous session, but I'm not sure of an easy way to flush their session on behalf of them every time you try to do an OAuth from your app.
Hope that helps!
Thank you for your kind and detailed answer,
Indeed, maybe my wish to fully disconnect after logout is related to my dev role and I would find this annoying as a user.
I’m still curious if there is a possibility or if it’s intended in the design of ASWebAuthenticationSession
You could try prefersEphemeralWebBrowserSession, a new feature in iOS 13, to at least block your web view from sharing session with Safari and be a bit more explicit about making your user login. I'm not sure it speaks to your specific issue, but might be worth exploring.