iosoauth-2.0openidappauthsfauthenticationsession

How does SFAuthenticationSession store session related cookies in Safari


tl;dr read the last paragraph.

I am using AppAuth (https://github.com/openid/AppAuth-iOS) library for handling OpenID based authentication of users for which I want to provide SSO experience through my app. The deployment target of my app is iOS 11 which means AppAuth internally uses SFAuthenticationSession. I am using authorization flow, which means the user is presented with a web based login page via SFAuthenticationSession. When a user fills in and submits the credentials SFAuthenticationSession calls completion with url (if successful) from which authorization code can be parsed. With the authorization code a token POST request through URLSession is made independently of SFAuthenticationSession and the access_token is retrieved.

The entire flow is successful including the retrieval of access_token, but when I leave the app and open user's profile webpage provided by the service provider in Safari the user is not logged in. I have tested the same flow with a Google account (https://accounts.google.com) and SSO worked fine, e.g. when I opened https://mail.google.com in Safari I was logged in. So I have a suspicion my service provider is doing something wrong. Perhaps they didn't supply me with correct scopes? But before contacting them I want to rule out any fault of mine. Now my most immediate thought is that somehow the session related cookies do not get stored in Safari. From this my question follows.

My question. Token POST request is made independently of SFAuthenticationSession (different user agent) so how any session related cookies get stored on the device (Safari) if not through SFAuthenticationSession? And is there any way to debug cookie storage in code?


Solution

  • According to the OAuth 2.0 standard, the token endpoint does not require the resource owner authentication, as an opposite to the authorization endpoint, which does. (A script or a back-channel performing authorization code exchange does not necessarily have access to HTTP cookies set in the user agent and, by default, browsers do not include credentials in cross-site XHRs. When a refresh token is used the resource owner interaction is not needed at all.) Your URLSession does not get any session cookie from Safari or SFAuthenticationSession and should not need one.

    As for your mobile Safari experience, docs for ASWebAuthenticationSession, the SFAuthenticationSession successor, state:

    All cookies, except session cookies, can be shared with Safari.

    It seems to be the case for SFAuthenticationSession as well. Google must be using persistent cookies, and as a result session sharing works with them.

    On a side note, even with persistent cookies there appears to be some inconsistency in syncing the cookie jars in iOS 11 environment, for example: http://www.openradar.me/radar?id=5036182937272320