MaikuB / flutter_appauth

A Flutter wrapper for AppAuth iOS and Android SDKs
275 stars 248 forks source link

iOS SSO not working #469

Closed lazytesting closed 10 months ago

lazytesting commented 10 months ago

I'm trying to setup SSO (sharing browser login session with our app) but on iOS this is not working. My expectation is that this should work when setting preferEphemeralSession to false and when to OS is modern enough to support ASWebAuthenticationSession.

Reproduction scenario:

I would expect that the user gets automatically logged as there is a persistent cookie in Safari (and the ASWebAuthenticationSession should be able to access browser cookies when it is not a ephemeral session). When I inspect the traffic through a proxy I see that when the app is opening the 'login webview' it does not send the 'idsrv' cookie.

Additional information: Documentation on cookie behaviour: https://developer.okta.com/blog/2022/01/13/mobile-sso#sfauthenticationsession-or-aswebauthenticationsession-behavior Apple docs: https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service

MaikuB commented 10 months ago

Have you tried this on a real device? I believe this is a limitation of using the simulator as this works as expected on my iPad and may need to make a note of this in the readme. I've seen this mentioned by others online when they had issues with SSO on iOS in general i.e. not to do with this plugin.

Side note: reminder that this plugin leverages the AppAuth iOS/macOS SDK so strictly speaking, if there was an issue then it would be with that SDK. In saying that, I know it does leverage APIs like ASWebAuthenticationSession depending on the OS version

lazytesting commented 10 months ago

I'm not able to run the example on a real device but I see the same behavior in our production app as well both in an emulator and on a real device. Do you know if there is a way to confirm that the webview is actually an ASWebAuthenticationSession (I assume it is but I also cannot think of other reasons why it is not working)?

MaikuB commented 10 months ago

The only way I know of is by looking at the code for the SDK

lazytesting commented 10 months ago

So far I did also not found a way to achieve this. I was able to attach the safari dev console to the webview session but could not find anythig useful. Only was able to confirm that cookies not set.

MaikuB commented 10 months ago

Can't help you more than that as it's the SDK not this plugin that does the heavy lifting. I would think you can use Xcode to debug and step through their code. Perhaps the other thing to consider is if the server itself doesn't support providing the cookies needed

lazytesting commented 10 months ago

thanks @MaikuB for your help. I finally got my iOS debugger working and I can confirm that the ASWebAuthenticationSession is created and that the prefersEphemeralWebBrowserSession is set correctly so indeed not a problem in this package.