iOS SSO not working

[lazytesting]

I'm trying to setup SSO (sharing browser login session with our app) but on iOS this is not working. My expectation is that this should work when setting preferEphemeralSession to false and when to OS is modern enough to support ASWebAuthenticationSession.

Reproduction scenario:

• using iPhone 15 pro emulator, OS version 17.2
• take the example project (https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth/example) and change preferEphemeralSession to be false.
• open Safari on the emulator on https://demo.duendesoftware.com/Account/Login
• login with bob/bob and check the 'remind me' box (important, otherwise you will get a session cookie)
• now there is persistent cookie named idsrv with an age of 1 month
• open the example app
• click 'sign in no code exchange'
• now the login window is showing

I would expect that the user gets automatically logged as there is a persistent cookie in Safari (and the ASWebAuthenticationSession should be able to access browser cookies when it is not a ephemeral session). When I inspect the traffic through a proxy I see that when the app is opening the 'login webview' it does not send the 'idsrv' cookie.

Additional information: Documentation on cookie behaviour: https://developer.okta.com/blog/2022/01/13/mobile-sso#sfauthenticationsession-or-aswebauthenticationsession-behavior Apple docs: https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service

[MaikuB]

Have you tried this on a real device? I believe this is a limitation of using the simulator as this works as expected on my iPad and may need to make a note of this in the readme. I've seen this mentioned by others online when they had issues with SSO on iOS in general i.e. not to do with this plugin.

Side note: reminder that this plugin leverages the AppAuth iOS/macOS SDK so strictly speaking, if there was an issue then it would be with that SDK. In saying that, I know it does leverage APIs like ASWebAuthenticationSession depending on the OS version

[lazytesting]

I'm not able to run the example on a real device but I see the same behavior in our production app as well both in an emulator and on a real device. Do you know if there is a way to confirm that the webview is actually an ASWebAuthenticationSession (I assume it is but I also cannot think of other reasons why it is not working)?

[MaikuB]

The only way I know of is by looking at the code for the SDK

[lazytesting]

So far I did also not found a way to achieve this. I was able to attach the safari dev console to the webview session but could not find anythig useful. Only was able to confirm that cookies not set.

[MaikuB]

Can't help you more than that as it's the SDK not this plugin that does the heavy lifting. I would think you can use Xcode to debug and step through their code. Perhaps the other thing to consider is if the server itself doesn't support providing the cookies needed

[lazytesting]

thanks @MaikuB for your help. I finally got my iOS debugger working and I can confirm that the ASWebAuthenticationSession is created and that the prefersEphemeralWebBrowserSession is set correctly so indeed not a problem in this package.