Open vinayatech opened 5 years ago
Seems related to this issue.
In a debug environment, you can tell AppAuth to bypass SSL cert validation by setting a custom NSURLSession
and its delegate like this:
OIDURLSessionProvider.setSession(URLSession(configuration: .default, delegate: self, delegateQueue: nil))
Then implement this URLSessionDelegate's function to trust the certificate:
public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) {
completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
}
Also, as you said, you'll need to install and trust the root certificate on your devices/simulators to be able to load the authorization page within the Safari tab.
I hope it helps!
@julienbodet I am using AppAuth for iOS and need to implement certificate pinning feature. I was trying with your solution to use "OIDURLSessionProvider" but could not find the OIDURLSessionProvider class in AppAuth sdk.
Could you please elaborate this further?
Thanks in advance!!
@julienbodet I am using AppAuth for iOS and need to implement certificate pinning feature. I was trying with your solution to use "OIDURLSessionProvider" but could not find the OIDURLSessionProvider class in AppAuth sdk.
Could you please elaborate this further?
Thanks in advance!!
You'll find it here.
You'll find it here.
The link is dead unfortunately and there is no documentation I could find how to disable SSL Certificate check for dev-mode server. Any recommendation where to use this OIDURLSessionProvider.setSession
actually?
This in particular to an issue that we are facing currently. The OAuth Provider's SSL Certificates received is probably ill formed when received by the SDK, as in only the leaf node(domain) that is received after a curl command instead of the entire chain.
However , this setup is in a development environment and the SSL Certs applied on the domain aren't public certs by the Certificate Authority but Internal Bank issued Certs (Root, Intermediate, Domain) that are put in keychain and simulators trust store. My queries are around the following
Im ask particular considering the limited knowledge on SSL Certs and validation within :)