In certain environments, redirecting to /logout is not seamless (e.g. iOS Safari webviews). Sign-in runs in ASWebAuthenticationSession, so the auth server’s sid cookie lives in Safari’s jar, but logout runs in the WKWebView, which doesn’t send that cookie. The redirect may succeed locally, but the icssc server session is never invalidated — so silent SSO can still re-authenticate the user on next sign-in.
We should issue a revocable logout token at login, store it server-side in AntAlmanac, and revoke the icssc session via a back-channel POST during sign-out (no redirect / no ASW sheet on iOS).
In certain environments, redirecting to /logout is not seamless (e.g. iOS Safari webviews). Sign-in runs in ASWebAuthenticationSession, so the auth server’s sid cookie lives in Safari’s jar, but logout runs in the WKWebView, which doesn’t send that cookie. The redirect may succeed locally, but the icssc server session is never invalidated — so silent SSO can still re-authenticate the user on next sign-in.
We should issue a revocable logout token at login, store it server-side in AntAlmanac, and revoke the icssc session via a back-channel POST during sign-out (no redirect / no ASW sheet on iOS).