search

auth0-samples / auth0-xamarin-oidc-samples

Auth0 OIDC Client with Xamarin applications
MIT License
30 stars 38 forks source link

Popup message handling #48

Closed blmiles closed 1 year ago

blmiles commented 1 year ago

Issue Report

See below

Description

Every time the login browser launches, this message appears. This is rather annoying and certainly detracts from users registering, even for beta testers!

iOSLoginWarning

So, on the off chance anyone HERE has any work around or a way to suppress this, that would be most useful!

Wonder if Auth0 could extend the Auth0Client.LoginAsync(); to accept username and/or email address and pwd, encrypt and do whatever is needed, use the already configured connection criteria/params and login/register the user.

That way devs can build a native login and/or registration screen and NOT deal with this petty annyomg popup from iOS and similar in Android.

Might have to reconsider using Auth0 if this cannot be change or an alternative login/registration method provided.

Steps to reproduce the problem

Just us the mobile plugin library for Xamarin iOS and Android.

Language / Framework Versions

C# Xamarin Forms iOS and Android

Testing environment

iOS and Android

Screenshots

Filling this, you're helping yourself and repo maintainers in solving your issues quicker! Teamwork makes the dreamwork 🤜🏼🤛🏻

frederikprijck commented 1 year ago

Thanks for reaching out.

The popup is something we cant control, it's from iOS specific.

You can enable ephemeral sessions on iOS to get rid of the popup, but that also disables SSO.

Our SDK currently only supports the Authorization Code Flow, which is the recommend flow to use.

Resource owner grant is not recommend, and not something we support in xamarin.

That said, you should be able to implement this yourself outside of the SDK, if that's what you want to use. We have Auth0.net, our dotnet SDK that doesnt provide end-2-end authentication, but provides you with building blocks to build whatever you like, including resource owner flow.

However, keep in mind this isn't recommend, nor secure for mobile devices, the Authorization Code flow is.

blmiles commented 1 year ago

Frederik, thanks for your response!

Yes, I know it's from iOS. Was hoping I'd be able to build reg/login screens and submit credentials from that to an API you guys have. IF registration and/or logins can be handled from a screen or form in an app, that would be helpful.

I'll look into options you mention.

IF you have any link regarding ephemeral sessions, that'd be helpful. I'll search on that anyway...

thanks again

frederikprijck commented 1 year ago

Was hoping I'd be able to build reg/login screens and submit credentials from that to an API you guys have. IF registration and/or logins can be handled from a screen or form in an app, that would be helpful.

Both of these are not possible using this SDK. This SDK only supports logging in using the recommended redirect-based flow. Using username/password from in your app is what I refered to before as resource owner grant, which is not recommended, and even being considered to not be included in OAuth2.1.

Having said that, both of the above (logging in and registering) are possible using the Auth0.NET SDK. You can use the AuthenticationApi package from it to login using the resource owner grant, so username/email and password. It's not called login though, but getTokenAsync, as you are retrieving a token using username and password, see our docs

It also has a method to register users

Do note that if you require a secret, you do not want to expose this in your client. So you typically want to proxy a login/token retrieval through your own API, in which you can store a secret and call the Auth0 API accordingly.

Regarding ephemeral sessions, you can have a look at https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral. For our SDK specificly, you can look into https://auth0.github.io/auth0-oidc-client-net/api/Auth0.OidcClient.ASWebAuthenticationSessionOptions.html#Auth0_OidcClient_ASWebAuthenticationSessionOptions_PrefersEphemeralWebBrowserSession, so basically using:

var client = new Auth0Client(new Auth0ClientOptions
{
  Domain = "YOUR_AUTH0_DOMAIN",
  ClientId = "YOUR_AUTH0_CLIENT_ID",
  Browser = new ASWebAuthenticationSessionBrowser(
    new ASWebAuthenticationSessionOptions
    {
      PrefersEphemeralWebBrowserSession = true
    }
  )
});

However, do note that this does not support Single Sign On, but it should get rid of the popup.