Enabling Third Party Authentication- iOS application

[krishnakanthjb]

Could you please let us know, how to implement the SSO implementation for the edx-iOS applications.

Similar to web : http://edx.readthedocs.org/projects/edx-installing-configuring-and-running/en/latest/configuration/tpa/

[aleffert]

Hey @krishnakanthjb our apps don't currently support SSO.

[krishnakanthjb]

Our application server is enabled with PingOne SSO. Is there any possibility to leverage the same from the mobile application?

[aleffert]

Hi @krishnakanthjb our apps currently don't support SSO. If that's something you want to implement, I'm happy to provide guidance. I haven't looked at it closely, but I would estimate it to be one or two weeks of work.

[krishnakanthjb]

Hi Aleffert.

Sorry for the late reply.

We are trying to use the certificate based authentication. Following are the steps that we are following from the edx mobile application. Step 1 : Mobile app will open the url on safari. Step 2 : Safari will authentication user using Certificate based authentication and receives the auth token and the user info. Step 3 : Safari will send the the auth token snd user details to edx native mobile app using the URL schema. Step 4 : App will handle/parse the auth token and user details. Step 5: Need to use this tokem/User details in the REST APIs with in the mobile application to view the user specific data. Sample URL: https://domain/api/mobile/v0.5/users/USERNAME/course_enrollments/

Assuming that the URL is should also take the authentication token, but as of now it is not there. Please confirm on this.

Do the user needs to be authenticated from the app, before accessing the the REST API?

Please confirm on this approach.

Also let us know if any more details required.

Thanks in advance.

[aleffert]

Hi @krishnakanthjb That sounds to me like what you'll need to do, but I am not an expert on SSO, so there may be weird edge cases I don't know about.

Most REST API endpoints need the user to be authenticated first. The login and register endpoints are exceptions. That means when we make a URL request we already include an oauth token. You'll need to connect your URL handler that gets receives the token from safari, to the place where we set up the access token (see OEXSession and OEXAccessToken).

[krishnakanthjb]

Thanks for the reply. Few queries: I didn't observe the session is getting reused for the other API's. Current API : https://domain/api/mobile/v0.5/users/admin/course_enrollments/?format=json Also we are using the v1.0 since the server is cypress/nginx.

So please confirm whether will it work if we assigned the new token in OEXSession and OEXAccessToken.

Also let us know, will it have any effect while enabling the social network frameworks, if we enable them in future?

Can you please let us know if there any guide lines/sample code to set up the token in OEXSession and OEXAccessToken

[aleffert]

@krishnakanthjb which session are you talking about? Maybe you can give me some more detailed examples.

There shouldn't be any problem with enabling the social logins later (though make sure you are branched off v1.0.6 not v1.0). The way the system works, once you have a token it shouldn't matter where it came from.

[krishnakanthjb]

We want to by by pass the signin/ sign up page and want to replace the token with new authentication token that we receiving from our server. So we want to know, if we assign to the property token in the OEXAccessToken class with the new token, will the enrolled courses work/ videos will work properly??

If yes..please let us know the best way of assigning the token in OEXAccessToken class..

Thanks in advance....

And will it be possible to have some working session to implement the SSO in edx mobile app?

[aleffert]

@krishnakanthjb I would encourage you to look at OEXAuthentication and try to copy with is done for google and facebook. That code is kind of ugly and I'm hoping to refactor it at some point, but it's what we have for now. If you have a valid oauth token everything should just work. I don't know enough

How do you picture a working session going? What time zone are you in?

[krishnakanthjb]

Thanks for the reply. We were able to assign the token the token is generated by nginx server. But we were not able to get the response if we assign the SAML token which is coming from the PING SSO which is large.

Following is the error details: Bad Request

Error parsing headers: 'limit request headers fields size'

Status Code: 400 Bad Request Connection: keep-alive Content-Length: 179 Content-Type: text/html Date: Fri, 19 Feb 2016 09:16:41 GMT Server: nginx/1.4.6 (Ubuntu)

Please suggest if this needs to be fixed from server side or the from the iOS code.

I work in IST time zone, but I am open to have a working session as per your availability....

Thanks for your help as always..

[aleffert]

Hi @krishnakanthjb, I think you need to convert your SAML token into an oauth token. If you look in OEXAuthentication you can see us doing similar things for google and facebook, where we take the token from an external service and call the /oauth2/exchange_access_token/{backend}/ endpoint to exchange that token for an edx oauth token. You'll note that the external token is sent as a POST argument so it never ends up in a header

[krishnakanthjb]

In our case the backend name is tap-SAML which is not accepting by this api.

[aleffert]

@krishnakanthjb What do you mean by not accepting? Do you mean that the API doesn't work even though you think it should? Or do you mean it goes through a different path entirely so it doesn't matter?

If the API isn't working, you might have better luck asking on the openedx slack.

[mamigot]

Has there been any progress on integrating SSO over the past few months or is third party auth using OAuth still the best option?

I'm interested in helping out if I can.

Thanks!

[krishnakanthjb]

We are converting the SAML token to Auth token and passing to the APIs.

It is working as expected.

[pomegranited]

@krishnakanthjb

We are converting the SAML token to Auth token and passing to the APIs.

Can you point me to your code which does this for a SAML TPA provider? I dug through the branches on your fork and couldn't find any which did this.

[pomegranited]

@jaimeohm There's an edX meeting agenda that mentioned Appsembler is looking into this too -- do you have any code, resources, or lessons learned to share?

[jaimeohm]

@pomegranited I don't, it dropped in priority. This has been reopened as an issue here, though. https://github.com/edx/edx-app-ios/issues/954 cc @krishnakanthjb