I am using ADFS 4.0 for authenticating into my mobile application using OpenId Connect / OAuth2 flow. Basically when I sign in to my application, my mobile appliaction opens a browser to start the flow. Whenever I sign out from the application, I need to fire the ADFS sign out page to clear the cookies and redirect back to the application.
The problem I have is that when I successfully authenticate through ADFS, I need to perform some user validation in my API for the user which sometimes can fail. If the validation fails, the session cookies stays in the mobile devices browser, so the user is not prompted for credentials anymore, so hes stuck in a loop where he cannot sign in to the application again. I really don't even need the session cookies stored into the mobile devices browser because I am using the access and refresh tokens to handle the flow after the authentication.
I have configurated my application as native application / Web API in ADFS. Is there any way I could disable the cookies to be saved in the mobile devices browser or is there any other approaches for this problem?
Are you using authorization code grant flow?
If yes, you can use prompt
parameter in authorization request. As explaining in this document about prompt , with prompt=select_account
, user will be forced to choose current signing account or choose to login in another account, or with prompt=login
, user has to reauthentication...With those values of prompt
, you will not be "stuck in a loop where he cannot sign in to the application again"