okta / okta-oidc-ios Goto Github PK
View Code? Open in Web Editor NEWOkta with AppAuth
License: Other
Okta with AppAuth
License: Other
I'm not sure what's happening with signOutFromOkta, but it's clear there there are some versioning issues. When I updated to the latest pod and try to use the method
signOutFromOktaas documented in the Readme file, it's not found. Then I looked at the example project and it uses a method named
signOutOfOkta`. When I look at it's pod files, while supposedly being the same version they quite different. For example:
My Pods -
Using AppAuth (0.91.0)
Installing HydraAsync (1.0.2)
Installing OktaAuth 1.0.1 (was 0.3.0 and source changed to `https://github.com/CocoaPods/Specs.git` from `https://github.com/cocoapods/specs.git`)
Installing OktaJWT (1.0.0)
Installing Vinculum (0.2.0)
OktaAppAuth.swift lines 29-42
// Token manager
public var tokens: OktaTokenManager?
public func login(_ username: String, password: String) -> Login {
// Authenticate via Resource Owner Password Grant
return Login(forUsername: username, forPassword: password)
}
public func login() -> Login {
// Authenticate via authorization code flow
return Login()
}
public func isAuthenticated() -> Bool {
Example Project Pods -
Installing HydraAsync (1.2.1)
Installing OktaAppAuth (1.0.0.beta-okta)
Installing OktaAuth (1.0.1)
OktaAppAuth.swift lines 29-42
public var tokens: OktaTokenManager?
public func login() -> Login {
// Authenticate via authorization code flow
return Login()
}
public func signOutOfOkta() -> Logout {
// End the Okta session
return Logout()
}
public func isAuthenticated() -> Bool {
So, it looks like there is signOut in the example, and looking through the source in the master repo it's there as well, but it's not the same code as the Readme, or the publicly available pod. And the example has obviously different dependencies. (Updated HydraAsync, OktaAppAuth, no Vinculum). Maybe the cocoapod isn't pointing to the latest code, I'm not sure.
See #108, we aren't giving developers good error information if the plist is invalid.
Hello,
I'm finding problems related to expired tokens.
Let's say I grab a token at 10am. That token expires at 11am (1 hour later) but I can use the refresh token to grab a new access token.
Example situations I've run into:
I kill my app at 10:15am and launch it again at 10:30am. In the OktaAuth.isAuthenticated()
it properly loads the previously created access token as expected and the app works as normal.
I leave my app open until 11am, when I check the validity of my token. I see it has expired. I then call OktaAuth.refresh().then
etc. etc. and as expected I successfully get an access token. Everything works great for my app until I kill it and launch it again. OktaAuth now has a problem retrieving tokens in the OktaAuth
isAuthenticated()
function even though I was able to successfully refresh the access token. It fails at unarchiving the Token Manager and thus I cannot refresh the auth token
After authenticating at 10am I close my app at 10:15am, with still an access token expiration date of 11am . I launch it at 11:15am, which would mean that my access token expired 15 minutes earlier, so I would expect to be able to use the refresh token to get a fresh access token, but as I found in the previous situation, upon trying unarchive the token manager it fails to set the tokens and thus there is no refresh token to use.
This has basically made our app very hard to use as the okta-sdk-appauth-ios
has a hard time reloading it's tokens once they have expired on a fresh launch, thus causing each of our users having to log in nearly every time they use the app.
Have the Okta engineers validated that they are able to successfully refresh the app from a cold start with an access token expired?
Thanks
Currently the OktaKeychain
methods are not available due to being internal
functions. At the very least, the get
method should be public.
This creates the ability to:
accessToken
, idToken
, or authState
on app bootOktaTokenManager
object based on the stored authState
(since it is currently only created on successful authorization)In short, you should be able to show/hide the login via:
if let authState = OktaKeychain.get("oktaAuthContext") {
// Set the current session based on previous auth context
OktaAuth.tokens = OktaTokenManager(authState)
} else {
// User is not logged in. Perform the login flow
}
Sweep through readme and code to make sure labels and placeholders follow the pattern here: https://oktawiki.atlassian.net/wiki/spaces/UX/pages/470681125/Developer+Experience+-+Okta+Domain+Labels
https://{yourOktaDomain}
(not https://{yourOktaDomain}.com
){clientId}
{clientSecret}
{scheme}
Warning on Xcode 9.2
Copied from the devForum:
When calling isAuthenticated method, it is crashing at
guard let previousState = NSKeyedUnarchiver
.unarchiveObject(with: encodedAuthState.value) as? OktaTokenManager else { return false }
It seems to crash when access token is expired because whenever I call the method after fresh install, get access token, it works well. However after an hour (that’s when our token expires), it crashes. Only way to get around is to reinstall the app which means this SDK cant be used at all.
I just updated to 1.0.1 from 0.3.0, made the very minor code changes to accommodate the Hydra promise flow. Made the changes needed to the Okta.plist
. Made the switch to point my pods to this repo, instead of the out of date Cocoapods version. And now "Sign In" is just hanging. I can put in the user name and password and then I get a permanent hang on this screen. At this point in the code, I don't have control of the screen, so I don't think the error is in my code. And I've confirmed everything is working as expected when I roll back the code, so I don't think there is something wrong with the service.
My only hunch is that it's something wrong with the callback into the app.
I'll keep digging.
With #87, we are adding the ability to sign out of Okta (end the Okta session). We also need to add and document a method for signing out of the app (destroying the user's tokens). This method should:
clearAuthState()
)We should give developers the ability to skip (2) if they do not want to incur a network request. However, the default should be true (revoke).
Note that the user may have an access token and may have a refresh token, but they will not always have one or both. This method must check to see whether either of those token types are stored, and revoke them if they exist and if the developer did not pass a parameter to disable revocation.
I've created this repo as a place for official iOS samples: https://github.com/okta/samples-ios
It will be modeled similar to: https://github.com/okta/samples-js-angular
browser-signin
native-signin
(this will contain #83)The OktaJWTVerifier.isIssuedInFuture return true if the iat is valid.
On OktaJWT.swift: is returning error when the iat is valid
Current code:
if OktaJWTVerifier.isIssuedInFuture(jwt.payload.issuedAt, leeway: self.validatorOptions["leeway"] as? Int) { throw OktaJWTVerificationError.IssuedInFuture }
Fixed Code:
if **!**OktaJWTVerifier.isIssuedInFuture(jwt.payload.issuedAt, leeway: self.validatorOptions["leeway"] as? Int) { throw OktaJWTVerificationError.IssuedInFuture }
I get errors validating tokens due to authentication does not happen against the authorization server for my app.
How can I set authorization server?
Any chance this is fixed in pull request #12 ?
OktaAuth .login()
UserInfo={NSLocalizedDescription={"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."}}}}
I'm really confuse. I'm sure what I input is right and client id is valid
Later, I tried by harding the email and password phrases, I can login successfully.
OktaAuth.login(m_email, password: mPassword)
I dont know why I cannot login by webview.
Anyone can help me?
We should make sure we are not passing optionals here:
OktaLogin.swift#L53-L56
Note: Please contact [email protected] for this feature.
Currently, this repo contains both the SDK and a demo app. This gets a little confusing because it's hard to tell how they are separated. We are publishing https://github.com/okta/samples-ios soon, which will be a clear home for all samples going forward.
We should:
Please collaborate with @IldarAbdullin-okta to determine the best way to do this.
SDK should be able to store tokens securely via the iOS Keychain (w/ or w/o iCloud)
Some developers need to pass additional parameters to the /authorize
route (browser sign-in), such as:
login_hint
parameter, string)state
value (string)Unlike values like issuer
and scopes
, these parameters will not be stored in Okta.plist
. We should make it possible to pass parameters to the browser sign-in method.
File: OIDAuthState.h
Method: OIDTokenRequest *tokenExchangeRequest =
[authorizationResponse tokenExchangeRequest];
Kindly provide support for additionalParameters. Everywhere value is passed as nil.
Remove the OktaAuth.login(username: string, password: string)
method and any samples/documentation relating to configuring a clientId
. #82 is the replacement.
When AppAuth supports logout, we'll support it in this library (#7). In the mean time, it would be useful to have the option to forcibly ignore whether the user already has a session on the server (adding the prompt=login
parameter on the /authorize
request).
We should add a boolean forceLogin
parameter to the login()
method.
Please update to support Swift 4.2.
Remove HydraAsync code
We are integrating Okta into our mobile applications. We are following resource owner password flow and okta sdk (https://github.com/okta/okta-sdk-appauth-ios).
In the documentation (readme) it says that If using the Resource Owner Password Grant, you must specify the clientSecret in Okta.plist. But it also mention that IMPORTANT: It is strongly discouraged to store a clientSecret on a distributed app. Please refer to OAuth 2.0 for Native Apps for more information.
So how can we set/update the clientSecret from the code (programmatically)? I could not find any method to set clientSecret in the SDK.
If we are using okta.plist, the how to changed the endpoints, clientSecret etc for different environments?
// Build the Authentication request
let request = OIDTokenRequest(
configuration: oidConfig,
grantType: grantType,
authorizationCode: authCode,
redirectURL: URL(string: redirectUri)!,
clientID: clientId,
clientSecret: clientSecret,
scopes: Utils.scrubScopes(config["scopes"]),
refreshToken: refreshToken,
codeVerifier: nil,
additionalParameters: additionalParams
)
// Build the Authentication request
let request = OIDAuthorizationRequest(
configuration: oidConfig,
clientId: clientId,
scopes: Utils.scrubScopes(config["scopes"]),
redirectURL: URL(string: redirectUri)!,
responseType: OIDResponseTypeCode,
additionalParameters: Utils.parseAdditionalParams(config)
)
Change to:
redirectURL: URL(string: redirectUri.addingPercentEncoding(withAllowedCharacters: NSCharacterSet.urlQueryAllowed)!)!,
The latest released version of AppAuth is 0.95.0: https://github.com/openid/AppAuth-iOS/releases/tag/0.95.0
The /logout
endpoint can be passed tokens that are expired, and if we continue to throw an error when the token expires, it becomes impossible to terminate the Okta session.
I propose we return expired tokens (remove this conditional and the check here), but add the exp
logic to our isAuthenticated
method.
Originally posted by @jmelberg-okta in #80
UPDATED I was going upgrade to the the 1.0.1 pod for our app, and when I installed the updated pod and made the required code changes, login no longer functions. Nothing happens. Even when using the given code sample. Neither print
statement ever fires.
OktaAuth
.login()
.start(self)
.then { tokens in
print(tokens)
}
.catch { error in
print(error)
}
Here's my other pods and versions:
Using AppAuth (0.91.0)
Using BNRDeferred (4.0.0-beta.3)
Using CFAServices (0.2.0)
Using GoogleAnalytics (3.17.0)
Using HockeySDK (5.1.4)
Using HydraAsync (1.0.2)
Using KeychainAccess (3.1.2)
Using OktaAuth (1.0.1)
Using OktaJWT (1.0.0)
Using SwiftLint (0.29.3)
Using UrbanAirship-iOS-SDK (10.0.3)
Using Vinculum (0.2.0)
Write tests for OktaKeychain.swift
Pod name should be:
okta-sdk-appauth-ios
instead of OktaAuth
I set everything up as per the readme file and it works as expected. However, when trying to run SWIFT UI tests, as soon as you click on the login or password field, XCODE crashes
On the class OktaAuth.swift, method authCodeFlow, when create the OIDAuthorizationRequest is not added the clientSecret.
To fix it, you have to get it:
let clientSecret = config["clientSecret"]
and then:
OIDAuthorizationRequest(configuration: oidConfig,
clientId: clientId,
clientSecret: clientSecret,
scopes: Utils.scrubScopes(config["scopes"]),.....
Some customers can't use the AppAuth pattern (opening a browser and handling a callback to the app) because they want to have complete control over the UI/UX of the login experience. In other words, they want to have a totally native, in-app UI for login. The SDK will need a number of improvements to support this.
Before building the full solution, we should build a demo to validate that the proposed flow against Okta makes sense. This demo does not need to use the existing SDK.
Here is the login flow:
sessionToken
.&sessionToken=
with the value of the sessionToken from the Authentication API response. Include scope offline_access
to request a refresh token.{redirectUri}?code=foobar
how to use the okta in oc project
Example app crashes on iOS 11:
Library not loaded: /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices
SDK should be available from the Carthage dependency manager.
Trying to login using code-supplied username + password, but it only works if I add the client_id and client_secret. Is PKCE implemented at all?
Pending the release of OKTA-94106 terminate the user's session with Okta.
The SDK should provide a method to easily do the flow described in #78.
First, a Swift client for the Authentication API needs to be created. This work will be done in okta-auth-swift (see #81).
Then, this library must expose a method to start a sign-in request and pass the username/password directly. We will deprecate the existing login(username: string, password: string)
method. This method will kick off the flow described in #78. This will result in one of two things:
login
method, this should automatically store the tokens. Allow the developer to segue to a new view.SUCCESS
, or some other error occurred (e.g., network error). Allow the developer to access the error object, or handle the status.The result is that a developer can build their own native sign-in UI, use this new method to perform the sign-in flow (with no browser popup), and store tokens on the device.
How can I get the Okta SDK to work on mac? The current pod 'OktaAuth' is not compatible with OS X.
"(OS X 10.10) is not compatible with OktaAuth (0.1.0)
, which does not support osx
."
As a developer, I want to trigger Okta to log in the user with Google using the idp
parameter with app auth, so my user doesn't need to view a page to just click on another button
We need to build an SDK for Swift that communicates with our Authentication API (https://developer.okta.com/docs/api/resources/authn). This will be in a new repo (https://github.com/okta/okta-auth-swift).
Here is an example of an existing authentication SDK: https://github.com/okta/okta-auth-java
The product and technical requirements for these SDKs is here:
https://oktawiki.atlassian.net/wiki/spaces/PM/pages/584942575/Authentication+SDK+product+spec
https://oktawiki.atlassian.net/wiki/spaces/eng/pages/463831327/Technical+Design+for+AuthN+SDKs
The requirements for the MVP are in https://github.com/okta/okta-auth-swift/issues
Hello,
On iOS 11+ There is a popup that says " Wants to Use '' to Sign in".
This is in relation to SFAuthenticationSession which has the following footnote at https://developer.apple.com/documentation/safariservices/sfauthenticationsession
If an application uses SFAuthenticationSession, users are prompted by a dialog to give explicit consent, allowing the application to access the website's data in Safari. When the webpage is presented, it runs in a separate process, so the user and web service are guaranteed that the app has no way to gain access to the user’s credentials. Instead, the app gets a unique authentication token.
Is there any workaround we could have to get around having this UIAlertView pop up that is very breaking in user experience with logging in?
Thanks
These things are not currently documented:
/authorize
endpointWe are moving our documentation towards "sign in" instead of "login". We should rename the .login()
method in this library to match.
Additionally, since we are adding a non-browser way to sign in (in #82), we should differentiate these methods.
I think the login()
method should be renamed to signInWithBrowser()
. What do you think @jmelberg-okta @ayurok?
Right now we send "X-Okta-User-Agent-Extended", but we should use "User-Agent" to be consistent with other libraries have have the ability to use this header.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.