AppAuth-iOS
AppAuth-iOS copied to clipboard
openid
SSO App & Website (Question)
Dear AppAuth-iOS Community, is there a possibility to remember my OIDC credentials when im switching between native iosApp & common Safari Browser on my ios device?
Hi guys, i have to push this topic again. If some is interested in a consulting project here. It would be great to get a message. Best Christsian
Let's dissect this a bit, shall we?
When using AppAuth in your iOS App, you would start your authentication:
let authorizationRequest = OIDAuthorizationRequest(....)
OIDAuthState.authState(byPresenting: authorizationRequest) { authState, authError in
// handle authState or error
}
| Safari Authentication Session |
|---|
 |
Under the hood, this will use SFAuthenticationSession (iOS 11) or ASWebAuthenticationSession (iOS 12+).
Both sessions will open a Safari View-Controller within the context of your app.
This Safari instance has access to the global iOS cookie and session cache.
That's the same cookie and session cache that the default iOS Safari browser app is using.
So, if your user is authenticating either in the Safari browser app or in your app (via the mentioned XY-AuthenticationSession), you will have access to the user's session.
Hi Leviathan,
but that is only true if it's a persistent cookie and not a session cookie. Also if you somehow need to add web content inside ob the app (inAppBrowsing with SafariViewController or WKWebView), that would not work as well if we have SFAuthenticationSession (iOS 11) or ASWebAuthenticationSession (iOS 12+).
So for that case i don't see any solution or does somebody has an idea how it would be possible to solve this?
Hi guys,
Do you know if there is a way to not use SFSafariViewController and open Safari app instead?
Hi guys, Do you know if there is a way to not use
SFSafariViewControllerand open Safari app instead?
Apple will likely reject your application if you use Safari instead of SFAuthenticationSession or ASWebAuthenticationSession.
I second the above. Expectation is when I logged in on iOS app and the WebView controller launches, it should have save the cookie as persistent, so that when I access my web app on Safari, it should be able to read the cookie and logged in automatically.
On AppAuth-Android, the behavior is working correctly. Only here in iOS the cookie is session based. Is there anyway configuration to make the cookie persistent?
Hi guys, I am facing the same issue, maybe some one have resolve this issue?
I did quite some testing for SSO between browser and app using an ASWebAuthenticationSession and setting prefersEphemeralWebBrowserSession to false. Based on this article https://developer.okta.com/blog/2022/01/13/mobile-sso#sfauthenticationsession-or-aswebauthenticationsession-behavior and the Apple docs (https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service#3395310) that should be possible.
my reproduction path:
- using iPhone 15 pro emulator, OS version 17.2
- take the example project (https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth/example) and change preferEphemeralSession to be false (it's flutter but under the hood used AppAuth-iOS)
- open Safari on the emulator on https://demo.duendesoftware.com/Account/Login
- login with bob/bob and check the 'remind me' box (important, otherwise you will get a session cookie)
- now there is persistent cookie named idsrv with an age of 1 month
- open the example app
- click 'sign in no code exchange'
- now the login window is showing while I would expect the persistent cookies to present and Identity server to automatically redirect.
This is the ASWebAuthenticationSession when debugging:
Here is a comparision between the cookies in Safari vs. the cookies in the webview:
Conclusion: For some reason the cookies are not shared between Safari en the Webview, but not sure why...
