CODEWITHSUNDEEP
iosoauth
Nick Kohrn
Nick Kohrn

Reputation: 6039

How to Store Client ID/Client Secret Strings in iOS

I am building an application that uses OAuth to authenticate and grant account access to users.

The current authentication flow is as follows:

  1. Create new application
  2. Register application with API service
  3. Store granted client ID and client secret securely
  4. Launch application
  5. Application opens service's OAuth request for approval in SFSafariViewController
  6. User approves the application to access their service's account
  7. Callback to application provides code, which is received in AppDelegate
  8. Notification is posted, passing the code to the view controller that will initiate the request to exchange a clientID, client secret, and code for an OAuth token to be used for authenticating subsequent requests
  9. Send request with client ID, client secret, and code to exchange for OAuth token
  10. Store token in Keychain for subsequent API requests

I have everything working as listed, however, I don't know how to store the client ID and client secret that I am granted when registering my application with the service. The client ID and client secret are to be kept securely and not shared. They will be used when a user exchanges them for an OAuth token.

Since I am using GitHub for version control, do I create a property list within my application to store the items? If so, I can just add that file to my .gitignore. Is this an appropriate method for storing my credentials?

Upvotes: 4

Views: 2950

Answers (2)

Daniel Dobalian
Daniel Dobalian

Reputation: 3237

You should not store a client secret inside a native app as it is a public client. Native apps are incapable of protecting data from the resource owner (and therefore a client secret).

Client secrets are intended for servers (or any confidential client) that are able to properly hide a client secret. You can standup a server (where the client secret can be stored) that handles the incoming requests from your mobile app over HTTPS, then sends back Access/Refresh tokens to your mobile app.

Upvotes: 1

Tung Fam
Tung Fam

Reputation: 8147

If I understood your question right (you need to store keys for each user), you may store them in iCloud containers. Basically it's like UserDefaults but in user's iCloud. You may write and read from there. Check out this docs for more info.

Let me know if it helps cuz not sure if I got your question the right way. If not please explain it in other way :) thanks

Upvotes: 0

Related Questions