Layer7 API Management

  • 1.  iOS sample App using Authorization Code flow

    Posted Nov 17, 2018 02:13 PM

    Is there an updated sample app that uses mobile SDK 1.8 and Authorization Code flow or OIDC BCP flows. The sample app out there uses password grant which we do not want to use. the documentation also references deprecated methods. 



  • 2.  Re: iOS sample App using Authorization Code flow
    Best Answer

    Posted Nov 20, 2018 06:23 PM

    Hi Shinoy,

     

    Thanks for posting the question in the forum.

     

    First of all, I'm sorry for the out-dated documentation; I will work on updating those documentation with the latest and relevant contents soon.

     

    For Authorization Code flow, the first thing that you will have to keep in mind is the following:

     

    1) Implicit Authentication: This is a flow where Mobile SDK invokes callback block implemented by developers to acquire user credentials (in this case Authorization Code) when there is no credentials (i.e. not authenticated status, or all tokens expired).  In this scenario, app developers need to implement the callback block, and handle the flow accordingly, and Mobile SDK will invoke the block at any time when it's necessary. Note: This callback block will only be triggered when Grant Flow of SDK is set to Password.

    • For more details of Implicit Authentication, you will simply have to implement the following callback block to handle the implicit authentication flow:

    [MAS setUserAuthCredentials:^(MASAuthCredentialsBlock authCredentialBlock) {

       MASAuthCredentialsPassword *credentials = [MASAuthCredentialsPassword initWithUsername:"username" password:"password"]; //or

       MASAuthCredentialsAuthorizationCode *credentials = [MASAuthCredentialsAuthorizationCode initWithAuthorizationCode:"code"];

       authCredentialBlock(credentials, NO, ^(BOOL completed, NSError *error) {

          //

          //   Handle the result of authentication with above credentials

          //

       });

    }];

     

    2) Explicit Authentication: This is a flow where app developer explicitly call to authenticate the session.  Simply, app developer calls [MASUser login..] method to authenticate the user with any choice of credentials.

     

    Keeping that in mind, the workflow of getting the authorization code from Mobile SDK is following:

     

    1) (For Social Login) Make sure all server configurations are done correctly.  Simply you can check with MAG Manager of the gateway, and try to login with any authentication providers you would like to perform.

    2) Retrieving Authentication URL from Mobile SDK.

    • This will be done automatically for Implicit Authentication; within the callback block, the authentication URL will be prepared, and available to use.  Simply use [MASAuthenticationProviders currentProviders] to retrieve an array of authentication URLs 
    • For Explicit Authentication, you will have to fetch the authentication URLs by yourself.  Simply call [MASAuthenticationProviders retrieveAuthenticationProvidersWithCompletion..] method to retrieve the authentication URLs.

    3) For Authorization Code flow, there are two possible features in Mobile SDK,

    • Proximity Login (using QR Code, or BLE), or
    • Social Login

    4) Once you obtain the authorization code from either of features, you can simply hand that auth code back to Mobile SDK to proceed authentication.

     

    For Proximity Login, please refer to iOS Guides | CA Mobile App Services 

    For Social Login, please refer to iOS Guides | CA Mobile App Services 

     

    Hope this helped, and please let me know if you need any further assistance on this issue.

    If you could please specify bit more on which use case you would like to use, that would help me a lot to narrow down, and focus on exactly what you would like to try and more specific examples with Mobile SDK.

     

    Thanks,



  • 3.  Re: iOS sample App using Authorization Code flow

    Posted Nov 20, 2018 09:52 PM

    Hi,

     

    I am a bit confused by the response as I feel implicit grant type is not the same as the authorization_code grant type. 

     

    What i am trying to do have our developers leverage the OAuth 2 authorization_code flow from the gateway which validates credentials against the user store. I do not want the ROPC grant as that means the app developers are collecting credentials and would want credentials to be handled only by the gateway login pages. 



  • 4.  Re: iOS sample App using Authorization Code flow

    Posted Nov 26, 2018 05:34 PM

    Hi Shinoy,

     

    First of all, I'm sorry for the confusion that I might have caused on my response.

    Just one clarification on my previous response is that what I mentioned as Implicit Authentication was not equivalent of OAuth Implicit Grant.

     

    For your question, in short answer, yes, it is possible to use Authorize Code grant type using our Mobile SDK.  For some of authentication providers, we support auth code grant type out of box with some configurations (for Google, Salesforce, LinkedIn, and Facebook).  You will have to configure the authentication provider's client id and secret, and import providers' certificate into Gateway.  You will also need to implement few things here and there for Mobile application which unfortunately, we currently don't have a sample app just for that.

     

    However, as I mentioned in my previous response, you will be able to implement this feature by following the documentation iOS Guides | CA Mobile App Services .  Basic idea is that Mobile SDK will fetch list of available authentication providers (such as Facebook, or Google, etc), then you will display that URL using SafariViewController in iOS application (reference: iOS Guides | CA Mobile App Services ).  You will also have to declare custom URL scheme in XCode project to handle incoming authorization code from SafariViewController in AppDelegate file (reference: iOS Guides | CA Mobile App Services ).  Once you received the authorization code, you will simply need to provide the auth code into SDK for authentication (reference: iOS Guides | CA Mobile App Services ).

     

    If you are trying to set up authorization code grant type from providers that we currently do not provide out of box (meaning, providers that are not Google, Facebook, LinkedIn, and/or Salesforce), there will be a little bit more work to do on the server side OTK to configure and implement OAuth protocols for the provider, but it is still possible.

     

    For the sample app, I will communicate the issue internally to discuss on providing sample app for this particular purpose in the future.

     

    For demonstration purpose, Mobile team has a library called, MASUI, which is basically demonstration of SDK's functionalities for application layer.  This framework contains default login screen implemented in native iOS code to present ROPC, and Auth Code grant types (as in Social Login, reference: iOS Guides | CA Mobile App Services ).

     

    Please let me know if you have any additional question or concern.

     

    Thanks,