Browser sign in w/ out using SFAuthenticationSession or ASWebAuthenticationSession

[nodediggity]

When using SFAuthenticationSession or ASWebAuthenticationSession the user is currently prompted to give consent every time the window is presented.

The leads to a scenario as follows:

User clicks Sign In and is presented with a UIAlert asking their consent to Sign In

At some point the user opts to Sign Out and again is presented with a UIAlert asking their consent to Sign In

This makes zero sense to the user at this point, the user is signed in, trying to sign out and is being prompted to give their consent to sign in - so they may be signed out 🤯.

Is it possible at to use this flow without either SFAuthenticationSession or ASWebAuthenticationSession?

This flow does not feel correct at all from a UX perspective, the constant prompts and system dialog presented by SFAuthentication/ASWebAuthenticationSession is going to be confusing to say the least as a user opting to sign out is presented with a pop up advising them they are signing in and their details are going to be shared.

I understand this behaviour is driven by SFAuthentication/ASWebAuthenticationSession so I would like to handle this myself, perhaps via a WKWebView.

This behaviour is present within the browser-sign-in sample app.

[IldarAbdullin-okta]

Hi @nodediggity ,

Unfortunately these alerts are shown by SFAuthenticationSession and ASWebAuthenticationSession classes. There is no workaround how to disable them I would recommend you to fork oidc repo, modify OIDExternalUserAgentIOS class and force using SFSafariViewController implementation. In that case you will not see system alerts during sign-in/sign-out flow. However take into account some SFSafariViewController drawbacks:

1. SFSafariViewController requires definition of custom url scheme in your Info.plist file and handling of redirect in AppDelegate.openWithUrl function
2. SFSafariViewController doesn't share persistent cookies, so SSO will not work

Please let me know if workaround works for you

Ildar

[nodediggity]

Thanks for coming back to me on this @IldarAbdullin-okta - I did some investigation myself also and I see now why it behaves this way.

Appreciate your input 👍

[arshadsk5]

How to solve this sign in text on sign out alert, please help I stuck at this. Thanks in advance.

[oleggnidets-okta]

Another approach to avoid the alert is forking okta-oidc-ios repo and modify OKTExternalUserAgentIOS. Put authenticationVC.prefersEphemeralWebBrowserSession = YES; line in presentExternalUserAgentRequest:session method.

Be aware, the authentication session (cookies, browsing data) won't be shared with user browser. For more details, read Apple' documentation.

Note, it's just a workaround but not something we recommend to do.

[phaseOne]

For other people that stumble across this issue, there's no need to fork the code as this has been integrated into the codebase with the noSSO option in the OIDC configuration object. Note: noSSO works only on iOS 13+ versions (due to prefersEphemeralWebBrowserSession), and the other downside is that the user will have to enter their credentials again. This is because prefersEphemeralWebBrowserSession means their authentication state (cookies) doesn't get shared between the authentication session and the user’s normal browser session.

Side note: To me, noSSO is a confusing name for the flag. It appears to me that SSO with an external IdP is still possible, just that you will have to enter your credentials again. I think the ephemeralWebBrowserSession terminology is more clear.