I'm using ASWebAuthenticationSession using Authorization Code Flow. In this flow I get a code token back from ASWebAuthenticationSession that I exchange for access and refresh tokens from my server. I store those in KeyChain. This works fine, but the problem is when I want to log out and log in with a different account.
Logging out is two steps:
1. Throw away my keychain tokens
2. Call ASWebAuthenticationSession to logout from the servers.
The second step has a strange user experience though, as it will ask concent for logging _in_! If I skip this step, and try logging in again using ASWebAuthenticationSession, it will not show the web view unless enough time has passed since the previous login.
So, I was thinking that most users don't login and logout often so I could check if enough time passed since the login and then skip step 2. Not good, but still an improvement.
Does anyone know how long that timeout is? I tested and it seems it may be one hour. Perhaps it's some kind of cookie lifetime or something that the server controls.
Or is there a better solution?