2

We have a native application that we're prototyping which needs to:

  • Authenticate a User to fetch an Access Token as a public client via OIDC (OAUTH2)
  • Render Web Content, in-app, from our web site which is protected by the same IdP (Keycloak) as the access token was fetched from above.

We are using the AppAuth library and it is following the best practices of RFC 8252 by using an external user agent so that the native application cannot snoop on the user credentials. Being iOS 13+, it is using ASWebAuthenticationSession. This part is working perfectly for us.

We are having problems when trying to then access our protected site via SFSafariViewController. The cookies set by the IdP from ASWebAuthenticationSession are not visible. This is the case no matter if the cookies are session or persistent cookies. As such, the user must authenticate again.

I'm highly confused about that state of cookie sharing of various types (persistent vs session) with the various versions of iOS and the various methods (ASWebAuthenticationSession, SFSafariViewController + WKWebView). There seems to be no definitive matrix that I've been able to find.

From spending time researching, it feels like with the present cookie restrictions on iOS (for security + privacy [good things!]), I can't accomplish what I want. This feels like such a common thing to want to do, I'm hoping I'm doing something wrong.

A couple of questions thus follow:

  1. Can persistent and/or session cookie sharing across ASWebAuthenticationSession and SFSafariViewController be allowed in the same app?
  2. If not, are there alternative approaches/patterns?

Thanks!

Josh Harness
  • 377
  • 1
  • 5
  • 16

1 Answers1

0

As of iOS 16 there is no way that I know of to share cookies between ASWebAuthenticationSession and SFSafariViewController.

The workaround I have put in place for my own SSO implementation is to use SFSafariViewController for both the initial login and for subsequent browsing from within my app.

The only major downside to this approach that I have encountered is that the cookies persisted by the SFSafariController are only available to SFSafariController meaning if the user opens the Safari app they will need re-authenticate (as opposed to ASWebAuthenticationSession which does share cookies with the Safari app).

I really hope Apple makes improvements to their documentation and implementation regarding SSO.

Justin DiStaulo
  • 1
  • 1
  • Thanks for the advice. I'm curious, do you use AppAuth? Out of the box, it doesn't want to use SFSafariViewController, since this goes against the IETF's Best Current Practices (BCP) for native apps (rfc 8252) – Josh Harness Aug 03 '23 at 20:04
  • @JoshHarness I am not using AppAuth out of the box, I have a custom OAuth2 implementation. I took a look at rfc 8252 and don't see anywhere it explicitly states not to use SFSafariViewController. Could you point me to that section? In my experience the only major drawback of using SFSafariViewController is the SSO cookie is not shared with the Safari app so the users session is only persisted within my app (which for my use case is acceptable). – Justin DiStaulo Aug 24 '23 at 15:44