iOS SSO with ASWebAuthenticationSession and SFSafariViewController

Question

We have a native application that we're prototyping which needs to:

• Authenticate a User to fetch an Access Token as a public client via OIDC (OAUTH2)
• Render Web Content, in-app, from our web site which is protected by the same IdP (Keycloak) as the access token was fetched from above.

We are using the AppAuth library and it is following the best practices of RFC 8252 by using an external user agent so that the native application cannot snoop on the user credentials. Being iOS 13+, it is using ASWebAuthenticationSession. This part is working perfectly for us.

We are having problems when trying to then access our protected site via SFSafariViewController. The cookies set by the IdP from ASWebAuthenticationSession are not visible. This is the case no matter if the cookies are session or persistent cookies. As such, the user must authenticate again.

I'm highly confused about that state of cookie sharing of various types (persistent vs session) with the various versions of iOS and the various methods (ASWebAuthenticationSession, SFSafariViewController + WKWebView). There seems to be no definitive matrix that I've been able to find.

From spending time researching, it feels like with the present cookie restrictions on iOS (for security + privacy [good things!]), I can't accomplish what I want. This feels like such a common thing to want to do, I'm hoping I'm doing something wrong.

A couple of questions thus follow:

1. Can persistent and/or session cookie sharing across ASWebAuthenticationSession and SFSafariViewController be allowed in the same app?
2. If not, are there alternative approaches/patterns?

Thanks!

Answer 1

As of iOS 16 there is no way that I know of to share cookies between ASWebAuthenticationSession and SFSafariViewController.

The workaround I have put in place for my own SSO implementation is to use SFSafariViewController for both the initial login and for subsequent browsing from within my app.

The only major downside to this approach that I have encountered is that the cookies persisted by the SFSafariController are only available to SFSafariController meaning if the user opens the Safari app they will need re-authenticate (as opposed to ASWebAuthenticationSession which does share cookies with the Safari app).

I really hope Apple makes improvements to their documentation and implementation regarding SSO.

Answer 2

Had the same problem. Wasn't able to find a way to open our protected site in an SFSafariViewController as well. What worked was opening an ASWebAuthenticationSession instead.

We're in SwiftUI, and just had to use BetterSafariView to open our protected site in a WebAuthenticationSession as such

.webAuthenticationSession(isPresented: $webAuthenticationSessionIsPresented) {
    WebAuthenticationSession(
        url: <protected_site_url>, 
        callbackURLScheme: nil) { callbackURL, error in 
        // handle callback here
    }
    .prefersEphemeralWebBrowserSession(false)
}