Mobile OAuth Sign Out

Since switching our Meeting SDK app to use OAuth, users are having trouble signing out and signing back in as someone else. This seems to be related to inability to sign out from the Zoom mobile website. Our customers are known to share devices and need to log in as different users on a daily basis.

Setup: we have an Android app that uses the Zoom Meeting SDK for Android. We use OAuth to authenticate the user.

Steps:

  1. User chooses Log In from within our Android app, we start a typical OAuth flow in the mobile browser.
  2. User completes log in process (“Stay signed in” checkbox is unchecked) and is redirected back to our app where we complete the OAuth flow (exchange auth token, etc).
  3. User decides to sign out from our app, so we delete the access and refresh tokens.
  4. User attempts to log in as a different user, so they choose Log In from within our app.
  5. Mobile browser opens briefly, but since the user is already logged in, user is redirected back to our app and is logged in. But this is not what the user wants. They want to log in as a different user.
  6. User opens their browser and goes to zoom.us. There is no indication the user is logged in.
  7. User goes to zoom.us / profile. User’s profile displays. There is no way to sign out. If you scroll down to the bottom of the profile, there is an option to “Sign Me Out From All Devices”. But this does not sign you out of the current mobile browser session. So this does not solve the problem.

The only workaround we have found so far is to ask the user to delete their browser app data. This is not very convenient.

Another workaround on phones is to enable the “Desktop site” checkbox in Chrome. Now the user’s profile picture appears and when tapping that, a SIGN OUT option appears. This is not a viable workaround for us as we use custom Android devices and the browser lacks a “Desktop site” option.

Is there a better way to handle OAuth sign out? Is there a URL we can launch in the browser that will programmatically sign the user out of zoom.us? Or is there a way to force the OAuth flow to always require the user to enter credentials?

I found a workaround for now. If you hit the following URL, it will force log you out of the Zoom website.

https://zoom.us/saml/logout

I don’t know how stable this URL is, but it seems to work.