Java Android应用中Salesforce(openld)认证登出后强制重登问题
Hey there! Let's break down how to fix this issue where users don't have to re-enter their password after logging out of your Android app. The key here is to target only your app's session without revoking all of the user's Salesforce permissions, which is exactly what you need.
Step 1: Clear All Local Authentication Credentials
The most common reason users skip login after logout is that your app is still storing valid tokens (like access_token, refresh_token, or id_token) locally. When the app restarts, it uses these tokens to automatically get a new session without prompting the user.
To fix this, make sure you delete every piece of auth-related data from your app's storage (SharedPreferences, Room database, etc.) when the user taps "Logout". Here's a quick Java example using SharedPreferences:
// Access your app's auth preferences SharedPreferences authPrefs = getSharedPreferences("SalesforceAuth", MODE_PRIVATE); // Clear all stored tokens and auth metadata authPrefs.edit() .remove("access_token") .remove("refresh_token") .remove("id_token") .remove("token_expiry") .apply();
Step 2: Terminate the Salesforce SSO Session
Even if you clear local tokens, the user might still have an active SSO session in the browser (or WebView) that your app uses for authentication. This means when you redirect back to the Salesforce login page, it will auto-sign the user in without asking for credentials.
To fix this, you need to trigger Salesforce's official OIDC logout endpoint to end the browser-based session. Here's how to do it:
- First, save the
id_tokenyou receive during the initial authentication flow (you'll need this to validate the logout request). - Construct the logout URL using Salesforce's
endsessionendpoint, along with theid_token_hintand a validpost_logout_redirect_uri(this URI must be configured in your Salesforce Connected App settings). - Load this URL in a hidden WebView to terminate the session.
Here's the Java code for this:
// Retrieve the stored id_token (make sure you saved this during login!) String idToken = authPrefs.getString("id_token", null); if (idToken == null) { // Handle case where no id_token exists return; } // Build the logout URL String salesforceDomain = "https://your-salesforce-instance.my.salesforce.com"; String endSessionEndpoint = salesforceDomain + "/services/oauth2/endsession"; String redirectUri = "your-app-scheme://logout-complete"; // Must match Connected App config String logoutUrl = String.format( "%s?id_token_hint=%s&post_logout_redirect_uri=%s", endSessionEndpoint, Uri.encode(idToken), Uri.encode(redirectUri) ); // Use a WebView to trigger the logout (can be hidden from the user) WebView logoutWebView = new WebView(getApplicationContext()); logoutWebView.setWebViewClient(new WebViewClient() { @Override public void onPageFinished(WebView view, String url) { super.onPageFinished(view, url); // Once logout is done, you can destroy the WebView and navigate to your login screen logoutWebView.destroy(); startActivity(new Intent(YourCurrentActivity.this, LoginActivity.class)); finish(); } }); logoutWebView.loadUrl(logoutUrl);
Why Revoking Tokens Isn't the Right Approach
Revoking tokens via Salesforce's API will invalidate all tokens associated with the user's Connected App, which affects every device/session the user has. That's overkill—you only need to end the session for this specific app instance, which the two steps above handle perfectly.
Final Notes
- Double-check that your
post_logout_redirect_uriis added to the "Callback URL" list in your Salesforce Connected App settings. - If you're using an OIDC library (like AppAuth for Android), it likely has built-in methods to clear credentials and trigger logout—you can leverage those instead of writing custom code.
内容的提问来源于stack exchange,提问作者kveldssang
