/okta-sdk-appauth-ios

Okta with AppAuth

Primary LanguageSwiftOtherNOASSERTION

Okta

CI Status Version License Platform

Example

To run the example project, clone the repo, and run pod install from the Example directory first.

Requirements

Installation

Okta is available through CocoaPods. To install it, simply add the following line to your Podfile:

pod "OktaAuth"

Overview

This library currently supports:

Getting Started

You can create an Okta developer account at https://developer.okta.com/.

  1. After login, navigate to https://{yourOrg}-admin.oktapreview.com/admin/apps/add-app and select Create New App
  2. Choose Native as the platform, Sign on method as OpenID Connect then select Create.
  3. Populate your new OpenID Connect application with values similar to:
Setting Value
Application Name Native OpenId Connect App (must be unique)
Redirect URIs com.okta.yoursubdomain:/callback
Allowed grant types Authorization Code, Refresh Token (recommended)
  1. Click Finish to redirect back to the General Settings of your application.
  2. Copy the Client ID, as it will be needed for the client configuration.

Note: As with any Okta application, make sure you assign Users or Groups to the OpenID Connect Client. Otherwise, no one can use it.

If using the Resource Owner Password Grant, make sure to select it in the Allowed Grant Types and select Client authentication.

Configuration

Create an Okta.plist file in your application's bundle with the following fields:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>issuer</key>
	<string>{oktaOrg}</string>
	<key>clientId</key>
	<string>{clientIdValue}</string>
	<key>redirectUri</key>
	<string>{redirectUrlValue}</string>
        <key>scopes</key>
	<array>
		<string>offline_access</string>
		<string>openid</string>
		<string>profile</string>
	</array>
</dict>
</plist>

Note: To receive a refresh_token, you must include the offline_access scope.

Update the Private-use URI Scheme

In order to redirect back to your application from a web browser, you must specify a unique URI to your app. To do this, open Info.plist in your application bundle and set a URL Scheme to the scheme of the redirect URI.

For example, if your Redirect URI is com.okta.example:/callback, the URL Scheme will be com.okta.example.

Resource Owner Password

If using the Resource Owner Password Grant, you must specify the clientSecret in Okta.plist:

<key>clientSecret</key>
<string>{clientSecret}</string>

IMPORTANT: It is strongly discouraged to store a clientSecret on a distributed app. Please refer to OAuth 2.0 for Native Apps for more information.

Authorization

First, update your AppDelegate to include the following function to allow the redirect to occur:

// AppDelegate.swift
import OktaAuth

func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any]) -> Bool {
    return OktaAuth.resume(url: url, options: options)
}

Then, you can start the authorization flow by simply calling login:

OktaAuth
    .login()
    .start(view: self) {
        response, error in
               
        if error != nil { print(error!) }
                
        // Success
        if let authResponse = response {
            // authResponse.accessToken
            // authResponse.idToken
        }
    }

To login using username and password:

OktaAuth
    .login(username: "user@example.com", password: "password")
    .start(view: self) {
        response, error in
               
        if error != nil { print(error!) }
                
        // Success
        if let authResponse = response {
            // authResponse.accessToken
            // authResponse.idToken
        }
    }

Get UserInfo

Calls the OIDC userInfo endpoint to return user information.

OktaAuth.userinfo() {
    response, error in
            
    if error != nil { print("Error: \(error!)") }
            
    if let userinfo = response {
        userinfo.forEach { print("\($0): \($1)") }
    }
}

Introspect the Tokens

Calls the introspection endpoint to inspect the validity of the specified token.

OktaAuth
    .introspect()
    .validate(token: token) {
        response, error in
            if error != nil { print("Error: \(error!)") }
            
            if let isActive = response { print("Is token valid? \(isActive)") }
    }

Revoke a Token

Calls the revocation endpoint to revoke the specified token.

OktaAuth.revoke(token: token) {
    response, error in
            
    if error != nil { print("Error: \(error!)") }
    if let _ = response { print("Token was revoked") }
}

Refresh a Token

Refreshes the accessToken if the refreshToken is provided.

OktaAuth.refresh()

Token Management

Tokens are securely stored in the Keychain. They can be easily be set and retrieved with the helper methods set and get.

OktaAuth
    .login()
    .start(self) { response, error in
        
        if error != nil { print(error!) }
        if let authResponse = response {
            // Store tokens in keychain
            tokens?.set(value: authResponse.accessToken!, forKey: "accessToken")
            tokens?.set(value: authResponse.idToken!, forKey: "idToken")
            self.buildTokenTextView()
        }
}

// OktaAuth.tokens.get(forKey: "accessToken")
// OktaAuth.tokens.get(forKey: "idToken")

License

Okta is available under the MIT license. See the LICENSE file for more info.