Sweep through readme and code to make sure labels and placeholders follow the pattern here: https://oktawiki.atlassian.net/wiki/spaces/UX/pages/470681125/Developer+Experience+-+Okta+Domain+Labels

• https://{yourOktaDomain} (not https://{yourOktaDomain}.com)
• {clientId}
• {clientSecret}
• {scheme}

Pending the release of OKTA-94106 terminate the user's session with Okta.

I'm not sure what's happening with signOutFromOkta, but it's clear there there are some versioning issues. When I updated to the latest pod and try to use the method signOutFromOktaas documented in the Readme file, it's not found. Then I looked at the example project and it uses a method namedsignOutOfOkta`. When I look at it's pod files, while supposedly being the same version they quite different. For example:

My Pods -

Using AppAuth (0.91.0)
Installing HydraAsync (1.0.2)
Installing OktaAuth 1.0.1 (was 0.3.0 and source changed to `https://github.com/CocoaPods/Specs.git` from `https://github.com/cocoapods/specs.git`)
Installing OktaJWT (1.0.0)
Installing Vinculum (0.2.0)

OktaAppAuth.swift lines 29-42

// Token manager
public var tokens: OktaTokenManager?

public func login(_ username: String, password: String) -> Login {
    // Authenticate via Resource Owner Password Grant
    return Login(forUsername: username, forPassword: password)
}

public func login() -> Login {
    // Authenticate via authorization code flow
    return Login()
}

public func isAuthenticated() -> Bool {

Example Project Pods -

Installing HydraAsync (1.2.1)
Installing OktaAppAuth (1.0.0.beta-okta)
Installing OktaAuth (1.0.1)

OktaAppAuth.swift lines 29-42

public var tokens: OktaTokenManager?

public func login() -> Login {
    // Authenticate via authorization code flow
    return Login()
}

public func signOutOfOkta() -> Logout {
    // End the Okta session
    return Logout()
}

public func isAuthenticated() -> Bool {

So, it looks like there is signOut in the example, and looking through the source in the master repo it's there as well, but it's not the same code as the Readme, or the publicly available pod. And the example has obviously different dependencies. (Updated HydraAsync, OktaAppAuth, no Vinculum). Maybe the cocoapod isn't pointing to the latest code, I'm not sure.

The /logout endpoint can be passed tokens that are expired, and if we continue to throw an error when the token expires, it becomes impossible to terminate the Okta session.

I propose we return expired tokens (remove this conditional and the check here), but add the exp logic to our isAuthenticated method.

Originally posted by @jmelberg-okta in #80

Hello,

On iOS 11+ There is a popup that says " Wants to Use '' to Sign in".

This is in relation to SFAuthenticationSession which has the following footnote at https://developer.apple.com/documentation/safariservices/sfauthenticationsession

If an application uses SFAuthenticationSession, users are prompted by a dialog to give explicit consent, allowing the application to access the website's data in Safari. When the webpage is presented, it runs in a separate process, so the user and web service are guaranteed that the app has no way to gain access to the user’s credentials. Instead, the app gets a unique authentication token.

Is there any workaround we could have to get around having this UIAlertView pop up that is very breaking in user experience with logging in?

Thanks

Right now we send "X-Okta-User-Agent-Extended", but we should use "User-Agent" to be consistent with other libraries have have the ability to use this header.

I get errors validating tokens due to authentication does not happen against the authorization server for my app.
How can I set authorization server?
Any chance this is fixed in pull request #12 ?

Currently the OktaKeychain methods are not available due to being internal functions. At the very least, the get method should be public.

This creates the ability to:

1. Check for accessToken, idToken, or authState on app boot
2. Create a new OktaTokenManager object based on the stored authState (since it is currently only created on successful authorization)

In short, you should be able to show/hide the login via:

if let authState = OktaKeychain.get("oktaAuthContext") {
  // Set the current session based on previous auth context
  OktaAuth.tokens = OktaTokenManager(authState)
} else {
  // User is not logged in. Perform the login flow
}

Trying to login using code-supplied username + password, but it only works if I add the client_id and client_secret. Is PKCE implemented at all?

UPDATED I was going upgrade to the the 1.0.1 pod for our app, and when I installed the updated pod and made the required code changes, login no longer functions. Nothing happens. Even when using the given code sample. Neither print statement ever fires.

OktaAuth
 .login()
 .start(self)
 .then { tokens in
   print(tokens)
  }
 .catch { error in
   print(error)
  }

Here's my other pods and versions:

Using AppAuth (0.91.0)
Using BNRDeferred (4.0.0-beta.3)
Using CFAServices (0.2.0)
Using GoogleAnalytics (3.17.0)
Using HockeySDK (5.1.4)
Using HydraAsync (1.0.2)
Using KeychainAccess (3.1.2)
Using OktaAuth (1.0.1)
Using OktaJWT (1.0.0)
Using SwiftLint (0.29.3)
Using UrbanAirship-iOS-SDK (10.0.3)
Using Vinculum (0.2.0)

Pod name should be:
okta-sdk-appauth-ios

instead of OktaAuth

OktaAuth .login()

UserInfo={NSLocalizedDescription={"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."}}}}

I'm really confuse. I'm sure what I input is right and client id is valid
Later, I tried by harding the email and password phrases, I can login successfully.
OktaAuth.login(m_email, password: mPassword)

I dont know why I cannot login by webview.
Anyone can help me?

We are moving our documentation towards "sign in" instead of "login". We should rename the .login() method in this library to match.

Additionally, since we are adding a non-browser way to sign in (in #82), we should differentiate these methods.

I think the login() method should be renamed to signInWithBrowser(). What do you think @jmelberg-okta @ayurok?

Example app crashes on iOS 11:
Library not loaded: /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices

With #87, we are adding the ability to sign out of Okta (end the Okta session). We also need to add and document a method for signing out of the app (destroying the user's tokens). This method should:

1. Throw away tokens stored in the Keychain (i.e. clearAuthState())
2. Revoke access and refresh tokens

We should give developers the ability to skip (2) if they do not want to incur a network request. However, the default should be true (revoke).

Note that the user may have an access token and may have a refresh token, but they will not always have one or both. This method must check to see whether either of those token types are stored, and revoke them if they exist and if the developer did not pass a parameter to disable revocation.

                // Build the Authentication request
                let request = OIDTokenRequest(
                           configuration: oidConfig,
                               grantType: grantType,
                       authorizationCode: authCode,
                             redirectURL: URL(string: redirectUri)!,
                                clientID: clientId,
                            clientSecret: clientSecret,
                                  scopes: Utils.scrubScopes(config["scopes"]),
                            refreshToken: refreshToken,
                            codeVerifier: nil,
                    additionalParameters: additionalParams
                )

                // Build the Authentication request
                let request = OIDAuthorizationRequest(
                           configuration: oidConfig,
                                clientId: clientId,
                                  scopes: Utils.scrubScopes(config["scopes"]),
                             redirectURL: URL(string: redirectUri)!,
                            responseType: OIDResponseTypeCode,
                    additionalParameters: Utils.parseAdditionalParams(config)
                )

Change to:
redirectURL: URL(string: redirectUri.addingPercentEncoding(withAllowedCharacters: NSCharacterSet.urlQueryAllowed)!)!,

Currently, this repo contains both the SDK and a demo app. This gets a little confusing because it's hard to tell how they are separated. We are publishing https://github.com/okta/samples-ios soon, which will be a clear home for all samples going forward.

We should:

• Determine what a good test harness looks like in this repo
• Remove everything else sample-related

Please collaborate with @IldarAbdullin-okta to determine the best way to do this.

We are integrating Okta into our mobile applications. We are following resource owner password flow and okta sdk (https://github.com/okta/okta-sdk-appauth-ios).

In the documentation (readme) it says that If using the Resource Owner Password Grant, you must specify the clientSecret in Okta.plist. But it also mention that IMPORTANT: It is strongly discouraged to store a clientSecret on a distributed app. Please refer to OAuth 2.0 for Native Apps for more information.

So how can we set/update the clientSecret from the code (programmatically)? I could not find any method to set clientSecret in the SDK.

If we are using okta.plist, the how to changed the endpoints, clientSecret etc for different environments?

Some customers can't use the AppAuth pattern (opening a browser and handling a callback to the app) because they want to have complete control over the UI/UX of the login experience. In other words, they want to have a totally native, in-app UI for login. The SDK will need a number of improvements to support this.

Before building the full solution, we should build a demo to validate that the proposed flow against Okta makes sense. This demo does not need to use the existing SDK.

Here is the login flow:

1. Use an HTTP client to POST to the Authentication API. Send a username and password to perform primary authentication. The Authentication API will return a sessionToken.
2. Construct a request for the Authorization Code + PKCE flow. Include an optional parameter: &sessionToken= with the value of the sessionToken from the Authentication API response. Include scope offline_access to request a refresh token.
3. If the response has HTTP status code 302, parse the response headers to get the code from the Location header: {redirectUri}?code=foobar
4. Construct the code exchange request to get access, ID, and refresh tokens in the app.

I set everything up as per the readme file and it works as expected. However, when trying to run SWIFT UI tests, as soon as you click on the login or password field, XCODE crashes

The latest released version of AppAuth is 0.95.0: https://github.com/openid/AppAuth-iOS/releases/tag/0.95.0

These things are not currently documented:

• How to sign the user out of the app
• How to end the Okta session (after #87) is merged
• An example of how to get the access token from the tokenManager and use it when making an HTTP call
• How to pass additional parameters to the /authorize endpoint
  And we need to confirm that these things are removed from documentation
• Anything relating to resource owner password flow/client secret

After #82 and #81 are done, we need to build a sample app (like #78) that performs native sign-in using the new functionality we added to our libraries.

We should make sure we are not passing optionals here:
OktaLogin.swift#L53-L56

SDK should be able to store tokens securely via the iOS Keychain (w/ or w/o iCloud)

Hello,

I'm finding problems related to expired tokens.

Let's say I grab a token at 10am. That token expires at 11am (1 hour later) but I can use the refresh token to grab a new access token.

Example situations I've run into:

1. I kill my app at 10:15am and launch it again at 10:30am. In the OktaAuth.isAuthenticated() it properly loads the previously created access token as expected and the app works as normal.

2. I leave my app open until 11am, when I check the validity of my token. I see it has expired. I then call OktaAuth.refresh().then etc. etc. and as expected I successfully get an access token. Everything works great for my app until I kill it and launch it again. OktaAuth now has a problem retrieving tokens in the OktaAuth isAuthenticated() function even though I was able to successfully refresh the access token. It fails at unarchiving the Token Manager and thus I cannot refresh the auth token

3. After authenticating at 10am I close my app at 10:15am, with still an access token expiration date of 11am . I launch it at 11:15am, which would mean that my access token expired 15 minutes earlier, so I would expect to be able to use the refresh token to get a fresh access token, but as I found in the previous situation, upon trying unarchive the token manager it fails to set the tokens and thus there is no refresh token to use.

This has basically made our app very hard to use as the okta-sdk-appauth-ios has a hard time reloading it's tokens once they have expired on a fresh launch, thus causing each of our users having to log in nearly every time they use the app.

Have the Okta engineers validated that they are able to successfully refresh the app from a cold start with an access token expired?

Thanks

I've created this repo as a place for official iOS samples: https://github.com/okta/samples-ios

It will be modeled similar to: https://github.com/okta/samples-js-angular

• Create readme
• Create folder browser-signin
• Create folder native-signin (this will contain #83)

I just updated to 1.0.1 from 0.3.0, made the very minor code changes to accommodate the Hydra promise flow. Made the changes needed to the Okta.plist. Made the switch to point my pods to this repo, instead of the out of date Cocoapods version. And now "Sign In" is just hanging. I can put in the user name and password and then I get a permanent hang on this screen. At this point in the code, I don't have control of the screen, so I don't think the error is in my code. And I've confirmed everything is working as expected when I roll back the code, so I don't think there is something wrong with the service.

My only hunch is that it's something wrong with the callback into the app.

I'll keep digging.

Screen Shot

Remove HydraAsync code

We need to build an SDK for Swift that communicates with our Authentication API (https://developer.okta.com/docs/api/resources/authn). This will be in a new repo (https://github.com/okta/okta-auth-swift).

Here is an example of an existing authentication SDK: https://github.com/okta/okta-auth-java

The product and technical requirements for these SDKs is here:
https://oktawiki.atlassian.net/wiki/spaces/PM/pages/584942575/Authentication+SDK+product+spec
https://oktawiki.atlassian.net/wiki/spaces/eng/pages/463831327/Technical+Design+for+AuthN+SDKs

The requirements for the MVP are in https://github.com/okta/okta-auth-swift/issues

After adding pod 'OktaAuth' to my podfile and running pod install, I get the following error message:
Unable to find a specification for OktaAuth

how to use the okta in oc project

See #108, we aren't giving developers good error information if the plist is invalid.

https://devforum.okta.com/t/otka-integration-with-existing-objectivec-ios-app/1223

The OktaJWTVerifier.isIssuedInFuture return true if the iat is valid.

On OktaJWT.swift: is returning error when the iat is valid
Current code:
if OktaJWTVerifier.isIssuedInFuture(jwt.payload.issuedAt, leeway: self.validatorOptions["leeway"] as? Int) { throw OktaJWTVerificationError.IssuedInFuture }

Fixed Code:
if **!**OktaJWTVerifier.isIssuedInFuture(jwt.payload.issuedAt, leeway: self.validatorOptions["leeway"] as? Int) { throw OktaJWTVerificationError.IssuedInFuture }

File: OIDAuthState.h
Method: OIDTokenRequest *tokenExchangeRequest =
[authorizationResponse tokenExchangeRequest];

Kindly provide support for additionalParameters. Everywhere value is passed as nil.

Some developers need to pass additional parameters to the /authorize route (browser sign-in), such as:

• A login hint (the login_hint parameter, string)
• A state value (string)
• Any string name/value pair

Unlike values like issuer and scopes, these parameters will not be stored in Okta.plist. We should make it possible to pass parameters to the browser sign-in method.

Warning on Xcode 9.2

Remove the OktaAuth.login(username: string, password: string) method and any samples/documentation relating to configuring a clientId. #82 is the replacement.

Note: Please contact [email protected] for this feature.

How can I get the Okta SDK to work on mac? The current pod 'OktaAuth' is not compatible with OS X.

"(OS X 10.10) is not compatible with OktaAuth (0.1.0), which does not support osx."

On the class OktaAuth.swift, method authCodeFlow, when create the OIDAuthorizationRequest is not added the clientSecret.

To fix it, you have to get it:
let clientSecret = config["clientSecret"]

and then:
OIDAuthorizationRequest(configuration: oidConfig,
clientId: clientId,
clientSecret: clientSecret,
scopes: Utils.scrubScopes(config["scopes"]),.....

Copied from the devForum:

When calling isAuthenticated method, it is crashing at

guard let previousState = NSKeyedUnarchiver
.unarchiveObject(with: encodedAuthState.value) as? OktaTokenManager else { return false }

It seems to crash when access token is expired because whenever I call the method after fresh install, get access token, it works well. However after an hour (that’s when our token expires), it crashes. Only way to get around is to reinstall the app which means this SDK cant be used at all.

Mark the OktaAuth.login(username: string, password: string) as obsolete/deprecated and remove documentation after adding #82. It will be removed fully in #84.

When AppAuth supports logout, we'll support it in this library (#7). In the mean time, it would be useful to have the option to forcibly ignore whether the user already has a session on the server (adding the prompt=login parameter on the /authorize request).

We should add a boolean forceLogin parameter to the login() method.

SDK should be available from the Carthage dependency manager.

The SDK should provide a method to easily do the flow described in #78.

First, a Swift client for the Authentication API needs to be created. This work will be done in okta-auth-swift (see #81).

Then, this library must expose a method to start a sign-in request and pass the username/password directly. We will deprecate the existing login(username: string, password: string) method. This method will kick off the flow described in #78. This will result in one of two things:

1. Login was valid and resulted in tokens. Like the existing login method, this should automatically store the tokens. Allow the developer to segue to a new view.
2. The transaction response did not contain status SUCCESS, or some other error occurred (e.g., network error). Allow the developer to access the error object, or handle the status.

The result is that a developer can build their own native sign-in UI, use this new method to perform the sign-in flow (with no browser popup), and store tokens on the device.

Please update to support Swift 4.2.

Write tests for OktaKeychain.swift

As a developer, I want to trigger Okta to log in the user with Google using the idp parameter with app auth, so my user doesn't need to view a page to just click on another button