Can't Bypass Self Signed Certificate on Xamarin.IOS

[terrencejames]

Is there a way to bypass problems with connecting to a server using a self-signed certificate?

Version

• [ ] nuget version = 1.6.0.2

• [ ] sample

          Xamarin.Auth.OAuth2Authenticator authenticator = new Xamarin.Auth.OAuth2Authenticator(
              clientId: _clientId,
              scope: "",
              authorizeUrl: authorizeUri,
              redirectUrl: callbackUri)
          { ShowErrors = true };
  
          authenticator.AllowCancel = true;
          authenticator.Completed += Completed;
          authenticator.Error += Error;
  
          if (viewController is UINavigationController navController)
              viewController = navController.ViewControllers.Last();
          AppDelegate.AppWindow.BeginInvokeOnMainThread(() =>
          viewController.PresentViewController(authenticator.GetUI(), true, null));

Steps to reproduce

1. Connect to a server URL using a self-signed certificate and the above code snippet
2. After presenting the view controller, the error event is fired with a message similar to "The server you are connecting to is invalid..."
3. Embedded web view is closed

Expected behaviour

Be able to bypass/trust the self signed certificate; on Android this works fine without adding extra code.

Actual behaviour

No option to bypass/trust the self signed certificate.

Comments

I tried using ServicePointManager.ServerCertificateValidationCallback but it does not work. Our app has its own HttpClient and handler for pinning self signed certificates, but I noticed that in the Request class it is using its own HttpClient. If I override this class, I'm not sure where/how the OAuth2Authenticator will utilize my derived instance of Request/OAuth2Request.

[terrencejames]

looks related to https://github.com/xamarin/Xamarin.Auth/issues/95 ?

[terrencejames]

It looks like the WkWebView should have a didReceiveAuthenticationChallenge handler... :P

Er, I meant the WkWebViewNavigationDelegate

[terrencejames]

I modified the source code to add this in the WkWebViewNavigationDelegate (I defaulted to using WkWebViews)

            public override void DidReceiveAuthenticationChallenge(WKWebView webView, NSUrlAuthenticationChallenge challenge,  Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler)
            {
                completionHandler(
                NSUrlSessionAuthChallengeDisposition.UseCredential,
                NSUrlCredential.FromTrust(challenge.ProtectionSpace.ServerSecTrust));

                return;
            }

I'm able to bypass the certificate error and the OAuth dialog shows, but after successfully logging in the app crashes with another certificate problem, but the authentication is shown to be successful. Let me know if you would like a stack trace.

[Redth]

Is there a particular reason you're using a self signed certificate? This is generally considered a bad practice. Perhaps consider using something like letsencrypt to get a trusted signed cert?

Supporting self signed certificates is not currently on our roadmap, sorry.