Browser sign in w/ out using SFAuthenticationSession or ASWebAuthenticationSession
nodediggity opened this issue · 5 comments
When using SFAuthenticationSession
or ASWebAuthenticationSession
the user is currently prompted to give consent every time the window is presented.
The leads to a scenario as follows:
User clicks Sign In and is presented with a UIAlert
asking their consent to Sign In
At some point the user opts to Sign Out and again is presented with a UIAlert
asking their consent to Sign In
This makes zero sense to the user at this point, the user is signed in, trying to sign out and is being prompted to give their consent to sign in - so they may be signed out 🤯.
Is it possible at to use this flow without either SFAuthenticationSession
or ASWebAuthenticationSession
?
This flow does not feel correct at all from a UX perspective, the constant prompts and system dialog presented by SFAuthentication/ASWebAuthenticationSession is going to be confusing to say the least as a user opting to sign out is presented with a pop up advising them they are signing in and their details are going to be shared.
I understand this behaviour is driven by SFAuthentication/ASWebAuthenticationSession so I would like to handle this myself, perhaps via a WKWebView
.
This behaviour is present within the browser-sign-in sample app.
Hi @nodediggity ,
Unfortunately these alerts are shown by SFAuthenticationSession
and ASWebAuthenticationSession
classes. There is no workaround how to disable them I would recommend you to fork oidc repo, modify OIDExternalUserAgentIOS
class and force using SFSafariViewController
implementation. In that case you will not see system alerts during sign-in/sign-out flow. However take into account some SFSafariViewController
drawbacks:
SFSafariViewController
requires definition of custom url scheme in yourInfo.plist
file and handling of redirect inAppDelegate.openWithUrl
functionSFSafariViewController
doesn't share persistent cookies, so SSO will not work
Please let me know if workaround works for you
Ildar
Thanks for coming back to me on this @IldarAbdullin-okta - I did some investigation myself also and I see now why it behaves this way.
Appreciate your input 👍
How to solve this sign in text on sign out alert, please help I stuck at this. Thanks in advance.
Another approach to avoid the alert is forking okta-oidc-ios
repo and modify OKTExternalUserAgentIOS
. Put authenticationVC.prefersEphemeralWebBrowserSession = YES;
line in presentExternalUserAgentRequest:session
method.
Be aware, the authentication session (cookies, browsing data) won't be shared with user browser. For more details, read Apple' documentation.
Note, it's just a workaround but not something we recommend to do.
For other people that stumble across this issue, there's no need to fork the code as this has been integrated into the codebase with the noSSO
option in the OIDC configuration object. Note: noSSO
works only on iOS 13+ versions (due to prefersEphemeralWebBrowserSession
), and the other downside is that the user will have to enter their credentials again. This is because prefersEphemeralWebBrowserSession
means their authentication state (cookies) doesn't get shared between the authentication session and the user’s normal browser session.
Side note: To me, noSSO
is a confusing name for the flag. It appears to me that SSO with an external IdP is still possible, just that you will have to enter your credentials again. I think the ephemeralWebBrowserSession
terminology is more clear.