okta-auth-swift icon indicating copy to clipboard operation
okta-auth-swift copied to clipboard

Published 20 hours ago verified publisher icon okta

WIP: Add Remember Device support

Open oleggnidets-okta opened this issue 3 years ago • 3 comments

Important: The Backend takes into account only deviceToken. If it exists then the backend perceives rememberDevice as true all the time. In other words, rememberDevice=false is being ignored on backend side.

Problem Analysis (Technical)

The library does not expose rememberDevice and deviceToken parameters. The feature was requested by the reporter in oidc-ios repo.

Solution (Technical)

Make rememberDevice and deviceToken available for developers.

Tests

Added parameters in tests. I didn't add the integration tests which assure that MFA is not asked one more time and device is remembered. Because it involves additional Policy rules. Also, I don't know which org is used because global variables are hidden in Travis settings.

If you see it's something required I can work on that more.

oleggnidets-okta avatar Mar 25 '21 14:03 oleggnidets-okta

@IldarAbdullin-okta I've just looked at #120. You said that deviceToken is omitted on purpose 😯 As I can see at Device Token Best Practices - native apps can generate own unique device ID. So I think it can be up to customers (developers) using of this parameter. What do you think?

https://developer.okta.com/docs/reference/api/authn/#device-token-best-practices

BTW, fingerprint is not considering safe according to documentation.

oleggnidets-okta avatar Mar 25 '21 14:03 oleggnidets-okta

@IldarAbdullin-okta I've just looked at #120. You said that deviceToken is omitted on purpose 😯 As I can see at Device Token Best Practices - native apps can generate own unique device ID. So I think it can be up to customers (developers) using of this parameter. What do you think?

https://developer.okta.com/docs/reference/api/authn/#device-token-best-practices

BTW, fingerprint is not considering safe according to documentation.

There are many contradictions in the documentation. My concern is based on the following statement:

Specifying your own deviceToken is a highly privileged operation limited to trusted web applications and requires making authentication requests with a valid API token. If an API token is not provided, the deviceToken will be ignored.

Auth SDK doesn't use SSWS API token, so is considered as untrusted client and therefore can't use deviceToken. On the other hand developers saying that server accepts deviceToken and they can use deviceToken in authentication requests. So it is either documentation or server code bug. So, if it is indeed server side bug then implementing this in the sdk is a certain risk.

cc: @robertdamphousse-okta

IldarAbdullin-okta avatar Mar 25 '21 18:03 IldarAbdullin-okta

@oleggnidets-okta What is the status of this pull request? Are we planning on still allowing rememberDevice for iOS SDK? Our team is looking to have this functionality (as others I've seen in various threads) to prevent users from experiencing the MFA factor required every time they try to login.

kyle-beard-wex avatar Nov 07 '22 16:11 kyle-beard-wex