SSO App & Website (Question)

[merzchr]

Dear AppAuth-iOS Community, is there a possibility to remember my OIDC credentials when im switching between native iosApp & common Safari Browser on my ios device?

[merzchr]

Hi guys, i have to push this topic again. If some is interested in a consulting project here. It would be great to get a message. Best Christsian

[leviathan]

Let's dissect this a bit, shall we?

When using AppAuth in your iOS App, you would start your authentication:

let authorizationRequest = OIDAuthorizationRequest(....)

OIDAuthState.authState(byPresenting: authorizationRequest) { authState, authError in 
    // handle authState or error
}

Safari Authentication Session

Under the hood, this will use SFAuthenticationSession (iOS 11) or ASWebAuthenticationSession (iOS 12+). Both sessions will open a Safari View-Controller within the context of your app. This Safari instance has access to the global iOS cookie and session cache.

That's the same cookie and session cache that the default iOS Safari browser app is using. So, if your user is authenticating either in the Safari browser app or in your app (via the mentioned XY-AuthenticationSession), you will have access to the user's session.

[Markus-Sky]

Hi Leviathan,

but that is only true if it's a persistent cookie and not a session cookie. Also if you somehow need to add web content inside ob the app (inAppBrowsing with SafariViewController or WKWebView), that would not work as well if we have SFAuthenticationSession (iOS 11) or ASWebAuthenticationSession (iOS 12+).

So for that case i don't see any solution or does somebody has an idea how it would be possible to solve this?

[merzchr]

Hi Leviathan, Markus mentioned exactly my challenge :/ Best Christian

[pertau]

Hi, looks like I'm facing the same issue.

[juancarlosdmz]

Hi guys, Do you know if there is a way to not use SFSafariViewController and open Safari app instead?

[vvavepacket]

I second the above. Expectation is when I logged in on iOS app and the WebView controller launches, it should have save the cookie as persistent, so that when I access my web app on Safari, it should be able to read the cookie and logged in automatically.

On AppAuth-Android, the behavior is working correctly. Only here in iOS the cookie is session based. Is there anyway configuration to make the cookie persistent?

[dattran-pt19]

Hi guys, I am facing the same issue, maybe some one have resolve this issue?

[KevinGiacomino]

Hi, did anyone found a solution please ?

[lazytesting]

I did quite some testing for SSO between browser and app using an ASWebAuthenticationSession and setting prefersEphemeralWebBrowserSession to false. Based on this article https://developer.okta.com/blog/2022/01/13/mobile-sso#sfauthenticationsession-or-aswebauthenticationsession-behavior and the Apple docs (https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service#3395310) that should be possible.

my reproduction path:

1. using iPhone 15 pro emulator, OS version 17.2
2. take the example project (https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth/example) and change preferEphemeralSession to be false (it's flutter but under the hood used AppAuth-iOS)
3. open Safari on the emulator on https://demo.duendesoftware.com/Account/Login
4. login with bob/bob and check the 'remind me' box (important, otherwise you will get a session cookie)
5. now there is persistent cookie named idsrv with an age of 1 month
6. open the example app
7. click 'sign in no code exchange'
8. now the login window is showing while I would expect the persistent cookies to present and Identity server to automatically redirect.

This is the ASWebAuthenticationSession when debugging:

Here is a comparision between the cookies in Safari vs. the cookies in the webview:

Conclusion: For some reason the cookies are not shared between Safari en the Webview, but not sure why...

[johnkwaters]

Any updates? I have the same issue: signed in with AppAuth, want to use the session cookie for SSO in an embedded webview.

[KarlBusse]

Regarding webviews: AppAuth isn’t going to help us with them, because its job is to avoid webviews like the plague.

Embedded user-agents do not share the authentication state with other apps or the browser. (RFC 8252 Section 8.12)

<Disclaimer: I have not done this, use these ideas at your own risk. I’ve just been sitting here noodling on it and putting some pieces together...and I think it ought to work something like this.>

Think of the webview as part of the native app. The app knows who the user is by virtue of the id token it received. The app can request resources from APIs using the access token it received. So, it follows that the webview should also make use of these tokens (since the webview is part of the native app.)

One could inform the webview of the access token by passing it in. (Example)

Then, it’s up to the webview to send the access token (JWT) to the website it wants to access. (MVC examples in these answers)

[lazytesting]

Any updates? I have the same issue: signed in with AppAuth, want to use the session cookie for SSO in an embedded webview.

Are you testing on a real device or an emulator? For me it was working after all when testing on a real device.

[afgarcia86]

I am having the same issue. I am using keycloak and appear to need the KEYCLOAK_IDENTITY cookie to persist or be available for my WKWebView.

I have tested on a real device with the latest version of keycloak.

[TizzumT84]

No someone is testing on my device without my permission Sent from my iPhoneOn May 10, 2024, at 5:06 PM, John Waters @.***> wrote: Any updates? I have the same issue: signed in with AppAuth, want to use the session cookie for SSO in an embedded webview.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>