Using the native login w/ this lib how can I SSO into an embedded webview

Question

Using the native login w/ this lib how can I SSO into an embedded webview

t3ddyK opened this issue 5 years ago · 4 comments

t3ddyK commented 5 years ago

I have an iOS app, using a native login, based on the custom example.

This works perfect and I am happy with it.

I have a requirement to open an embedded WKWebView within my app, that SSO’s a user in.

The url looks something like this:

https://{my-okta-org}.com/app/{some-okta-app-id}/exkms5nzsh0tD0kO10h7/sso/saml?RelayState={some-relay-state}

When I launch this however within my web view, I am redirected to an Okta login page. I would expect this really as the embedded view has no context of the authenticated session.

How can I set my session against this webview without asking the user to sign in again? As I have used the native login, I do not have a cookie set, so I suspect I will need to request one but am unsure of the flow required in this case and cannot find it mentioned in the docs for this lib.

Answer 1 · 2019-08-15T22:50:27.000Z

Hi @t3ddyK ,

Thanks for submitting this issue. I suppose you use the following environment:

OktaAuthSdk - for native auth flow and getting session token
OktaOidc - for exchanging session token to access token

During debug I noticed that session cookie is not stored by URL session to default cookies storage. Therefore SSO doesn't work.
I'm going to fix the issue in OIDC library and create new release(3.5.1).

Once new release is available you will need to do the following:

Install new OIDC pod
Enable persistent cookies for your Okta org(I will provide instructions later)

Answer 2 · 2019-08-16T23:06:53.000Z

Okta OIDC sdk has been updated with the fix - https://github.com/okta/okta-oidc-ios/releases/tag/3.5.1

Please install 3.5.1 pod and test your scenario

Please also note that you have to enable persistent cookies for your Okta sign-on policy. Instructions how to do that are following:

Prerequisites

Create an API token for your org
Download Postman collection for Policy endpoint
Sign-on policy parameter that we will change is usePersistentCookie

Steps

Open Get Okta Sign On Policies request from Postman collection and run it.
Example:

GET https://{yourOktaDomain}/api/v1/policies?type=OKTA_SIGN_ON

Locate in the response Policy that you want to modify then copy it's id value.
Open Get Rules request from Postman collection. Paste Policy id into request url and run it.
Example:

GET https://{yourOktaDomain}/api/v1/policies/00p2sy9uspJnRwPwp0g7/rules

Locate rules that you want to modify. You will need to copy Rule id along with actions part for json payload.
Open Update Sign On Rule request from Postman collection. Paste Policy id and Rule id into request url and paste actions json into request body. Change usePersistentCookie value from false to true.
Example:

PUT https://{yourOktaDomain}/api/v1/policies/00p2sy9uspJnRwPwp0g7/rules/0pr2syd4yuJ2gFXnD0g7

Body:
{
    "name": "Your Policy Rule",
    "type": "SIGN_ON",
    "actions": {
        "signon": {
            "access": "ALLOW",
            "requireFactor": true,
            "factorPromptMode": "ALWAYS",
            "rememberDeviceByDefault": false,
            "session": {
                "usePersistentCookie": true,
                "maxSessionIdleMinutes": 100,
                "maxSessionLifetimeMinutes": 100
            }
        }
    }
}

NOTE: usePersistentCookie value is now true

Answer 3 · 2019-08-17T10:06:11.000Z

That worked perfectly, thank you so much :)

Answer 4 · 2022-06-06T20:04:44.000Z

Seems like rather than updating the "usePersistentCookie" flag via API, one can also address this via the Okta Terraform provider: https://registry.terraform.io/providers/okta/okta/3.25.1/docs/resources/policy_rule_signon#session_persistent
(this is an assumption - not validated on my part yet)

Of course that is only feasible if one already controls their Okta tenant via Terraform.