Login hint ignored. No way to force user to re-authenticate #1999
Description
Login hint ignored. No way to force user to re-authenticate
Description
LoginHint is ignored if another user is already logged in. No way to workaround this issue when mobile app is re-installed.
Steps to reproduce
- User [email protected] installs android app and opens it.
- User enters [email protected] username in app. In the app there is a single username field to enter username. Entered value is then used as a login hint.
- User presses 'next' button. This opens ChromeCustomTabs browser pointing to FusionAuth authorization endpoint. Login hint is passed into this endpoint.
- User logs in and can fully use the app.
- User uninstalls the app without logging out.
- User [email protected] installs the android app and opens it
- User enters his [email protected] username as login hint in the app and presses next.
- This opens ChromeCustomTabs browser pointing to FusionAuth authorization endpoint. Login hint is passed into this endpoint. ChromeCustomTabs still have session of abc user, because he did not logout when uninstalling the app.
- User abc is logged in to the app, instead of user xyz.
- There is no way to clear cookies in ChromeCustomTabs (or SafariViewController for iOS) to workaround this case.
- FusionAuth does not seem to support 'prompt=login' that could fix this and require user to re-authenticate.
Expected behavior
LoginHint should not automatically log in the wrong user into app, or there should be a way to force user to re-authenticate.