Reputation: 1600
How to setup Identity Server 3 for IOS client using Authorization Code flow
Lately I've bee playing around with Thinktecture's Identity Server 3 and more specifically clients and flows. Now I want to see how the communication happens between native IOS application and Identity Server 3 using Authorization Code flow.
What I've done so far is consuming the STS(Identity Server 3) by ASP.NET Mvc client(Hybrid flow) and AngularJS client(Implicit Flow). The STS side looks like this:
Implicit flow client setup on STS:
new Client
{
ClientId = "implicitangularclient",
ClientName = "Angular client (Implicit)",
Flow = Flows.Implicit,
AllowAccessToAllScopes = true,
IdentityTokenLifetime = 10,
AccessTokenLifetime = 120,
// If we want to have SSO between Angular app and MVC app we need to have this option set to
// false for both the flows they implement(hybrid and implicit).
RequireConsent = false,
// redirect = URI of the Angular application
RedirectUris = new List<string>
{
"https://localhost:44555/callback.html",
// for silent refresh
"https://localhost:44555/silentrefreshframe.html"
},
PostLogoutRedirectUris = new List<string>()
{
"https://localhost:44555/index.html"
}
}
Hybrid flow client setup on STS:
new Client
{
ClientId = "hybridclient",
ClientName = "Mvc client (Hybrid)",
Flow = Flows.Hybrid,
AllowAccessToAllScopes = true,
// If we want to have SSO between Angular app and MVC app we need to have this option set to
// false for both the flows they implement(hybrid and implicit).
RequireConsent = false,
IdentityTokenLifetime = 10,
AccessTokenLifetime = 120,
// redirect = URI of the MVC application
RedirectUris = new List<string>
{
"https://localhost:44556"
},
// Needed when requesting refresh tokens
ClientSecrets = new List<Secret>()
{
new Secret("hybridflowsecret".Sha256())
},
PostLogoutRedirectUris = new List<string>()
{
"https://localhost:44556"
}
}
Well, now my goal is to setup a client which is a native IOS application using the authorization code flow. I currently have no IOS application but I wish I could make a setup for such a client so if one day I have IOS app, I can only give it the client id, client name and client secret I have already defined and let it run. I tried to find examples on the internet but didn't have success with that so I started digging into it. What I am now wondering is what the return url should be and how does it get processed client-side. Following this specification: oauth2-native-apps-03, starting from section 5. It says that
There are three main approaches to redirection URIs for native apps: custom URI schemes, app-claimed HTTPS URI schemes, and loopback redirects.
So far, so good, but as far as I understand, on the client side app we need to register custom URI scheme which I've never done before(I've never done ios development in general). Even more, we need to open the app after a specific URL(most likely, the ReturnUris url) is passed to the phone browser that launched the authorization process. I also spent some time on Inter App communication for IOS but didn't really get the answer of my question which is: If I want to abstract myself from the IOS application and its setup and I want to configure only the STS, how could I do that in terms of setting up the Client object for this case on STS level? What should be the redirect uri(As far as I understand it is kind of reverse DNS notation. Something like com.mycompany.apples)? Just imagine I am STS administrator and a physical client comes to me and says: Hey, I have IOS application with this id, this secret and that return uri, please set it up for me on your STS.
Upvotes: 1
Views: 1252
Answers (1)
Reputation: 1567
Here is an Xamarin project iOS Client example using the following libraries.
- IdentityModel.OidcClient 2.0.0
- IdentityModel 2.5.1
If you are going to use Xamarin then the ViewController.cs has the login code to connect to an IdentityServer.
var options = new OidcClientOptions
{
Authority = "https://demo.identityserver.io",
ClientId = "native.hybrid",
Scope = "openid profile email api",
RedirectUri = "io.identitymodel.native://callback",
ResponseMode = OidcClientOptions.AuthorizeResponseMode.Redirect
};
_client = new OidcClient (options);
_state = await _client.PrepareLoginAsync ();
AppDelegate.CallbackHandler = HandleCallback;
safari = new SafariServices.SFSafariViewController (new NSUrl (_state.StartUrl));
this.PresentViewController (safari, true, null);
If you are going to be using a Single Page Application SPA then they have a good sample project their that uses their oidc-client.js library with the documentation here.
NOTE: I have not had any luck using a URL Scheme with the oidc-client.js library. I'm still looking into if this library supports that ability.
If you were planning on using Cordova for your project then here is a source that I've tested with. NOTE: There are some testing issues you may run into if you don't have a iOS device to test with. I ran into this issue and was able to test using the Intel XDX tool, which allows you to push the Cordova project to a test server and launch on your mobile device via the Intel App Preview application.
- jquery-cordova-oauth2: jQuery plugin for doing Oauth2 login in a Cordova App. The plugin relies on another cordova inappbrowser
Upvotes: 1
Related Questions
- Identity Server : Grant Type for native mobile apps
- Identity server 4 device code flow user code lenght
- IdentityServer 3 returns invalid_client
- How to get Authorization Code using Identity Server 4 Authorization Code Grant Type Flow
- Code flow not working for Identity Server 4
- IdentityServer Flows
- Can I use IdentityServer3 Authorization Code Flow with PKCE and no client secret?
- IdentityServer4 and OidcClient on IOS prompt
- OAuth2 flow for mobile app
- IdentityServer3, implicit flow, how to obtain token?