SSO between apps and across app restarts in iOS 11

ios

#1

Hello,

I am experimenting with Okta and the “okta-openidconnect-appauth-ios” test program to see what Okta can do on iOS 11.

I have set up the test program and was able to log in and get tokens, as well as see the user info, etc.

However, when I restart the app, or try to do the same thing from another app linked to the same clientID, I only see the username field filled in, and password is blank.

I was under the impression that I should be seeing SSO (meaning I don’t have to re-enter in my password) in these cases.

Is there something I need to specially configure to support this?


#2

Hmm, I think that sample is a little bit stale, I would be curious if we are seeing the same behavior on:

That library has been updated for iOS11, I’m unsure if there is additional work needed to support SFAuthenticatedSession.

@jmelberg ^ :slight_smile:


#3

Tom,

Thanks very much for the suggestion. Unfortunately the app you referred to has the exact same behavior: the name is auto-filled but the password is blank (even though I have chosen ‘remember me’. The SSO does work if I clear the token and try to Login again without killing the app.

So I guess nobody has tested this on iOS 11 yet?

Let me know if you have any other ideas as I really wanted to see Okta working with iOS 11 (ideally OIDC).


#4

I did some more research and confirmed cookie sharing is working on iOS 10.

I also found a post that indicates other people are having problems with cookie sharing on iOS 11, so I guess it is an apple bug:


#5

Hello Tom,

I tried again with 11.2.5 with the latest app (https://github.com/okta/okta-sdk-appauth-ios) and am still seeing the issue.

Is there any known issues with the test app or related APIs?

Thanks


#6

@jmelberg any thoughts?


#7

Hey @locksleyu & @jeffwi! Sorry for the delay.

When iOS 11 was released, internal teams at Okta decided to not persist an Okta session when using SFAuthenticationSession. This is a huge blocker for native SSO use cases, and our team is working on getting that changed now.

In the meantime, you could enable iOS keychain sharing to your apps by using access groups. This will allow sharing a user’s accessToken + idToken across apps. I’m working on making this easy with the next version of okta-sdk-ios-appauth.

I’ve created an issue here - so please feel free to follow along to get the most up-to-date information.


#8

Hello,

Just checking to see if there has been in progress with this. Also, wanted to see if anybody was able to achieve workaround with access groups. If so, how? Thank you.