eiam-ios is a sample authentication project which demonstrates best practices on how to integrate OpenID Connect into an iOS app. Internally it depends using SPM on the open source project AppAuth-iOS which does the heavy lifting and implements the OpenID Connect specification. AppAuth-iOS uses the ASWebAuthenticationSession on the supported operating system version which allows the app to have the advantages of SSO. Therefore a user can use its ongoing session of the Safari mobile browser to log in to the app. AppAuth-iOS stores the current authentication state in a OIDAuthState object, eiam-ios uses the NSKeyedArchiver to encode and decode this object and stores it safely in the keychain.
The app allows the user to login to 3 Enviroments (REF/ABN/PROD) and displays informations about the tokens.
All authorization related code can be found in the Logic/EIAM subfolder. The EIAMAuthorizationService
is the entry point when authenticating a user.
The initializer sets up the service with the given configuration. The configurations for the different eiam enviroments can be found here. The initializedCallback is called as soon as the object is ready to use.
By calling this method the authentication flow is started. A ViewController has to be passed to present the ASWebAuthenticationSession. The callback is called with a result type containing either success or the error.
This computed property can be used to check if a user is authenticated.
Performs the user info request if one is advertised in the discovery and returns its information. An optional URLSession can be passed or else a URLSession with an ephemeral configuration will be used.
By calling this method the access, refresh and id token can be obtained. If the currently stored token expires the SDK will try to renew it using the refresh token. If the forceFresh Parameter is set to true a new token will be fetched even if not expired.
When this method is called the locally stored tokens will be deleted. The user will not be logged out of the SSO session but only within the app scope.
✅ OIDC Flow: Authorization code flow
✅ Use PKCE
✅ Use system browser (SFSafariViewController)
✅ Set prompt=select_account / prompt=login to ensure user-interaction while login (instead of non-interactive SSO)
✅ Store tokens (encrypted) in keychain
✅ No tokens in app cache (an ephemeral URLSession is used)
✅ Use certificate pinning for requests to IdP
✅ Logout: drop all tokens
✅ Error handling
✅ Time handling access/refresh token (before expired)