As of iOS 11, I'm seeing a new login flow when using FBSDKLoginKit and FBSDKCoreKit. I realize apple's recent change(s) to how apps talk with each other re: facebook credentials mean we first have to go through safari during the authentication flow... but for some reason I'm seeing the below alert dialog (see first and second screenshots) even though in other apps that feature facebook login, I'm able to go directly to facebook.com and am then offered the choice to either authenticate through the native Facebook app or log in with email/password (see second screenshot).
Does anyone know why I'm seeing this flow on my app but am seeing a different flow on pretty much every other app that I've looked at that's implemented facebook login? I've followed the flow listed on https://developers.facebook.com/docs/facebook-login/ios so I'm pretty much stumped. Thanks in advance.
You can try changing the loginBehavior of the login manager. See https://github.com/facebook/facebook-ios-sdk/blob/master/FBSDKLoginKit/FBSDKLoginKit/FBSDKLoginManager.h#L72. That alert is part of iOS 11' SFAuthenticationSession auth flow.
/**
This is the default behavior, and indicates logging in through the native
Facebook app may be used. The SDK may still use Safari instead.
*/
case native
/**
Attempts log in through the Safari or SFSafariViewController, if available.
*/
case browser
/**
Attempts log in through the Facebook account currently signed in through
the device Settings.
#note If the account is not available to the app (either not configured by user or
as determined by the SDK) this behavior falls back to \c .native.
*/
case systemAccount
/**
Attempts log in through a modal \c UIWebView pop up
#note This behavior is only available to certain types of apps. Please check the Facebook
Platform Policy to verify your app meets the restrictions.
*/
case web
This is an intended behaviour, confirmed to me by Apple & Facebook. It's the implementation and flow of SafariViewController authentication, it's documented by Apple too (the system alert) & the third screenshot you post it's most probably an app using an old version of Facebook SDK. Please checkout this post I opened some weeks ago with the same UX you describe, then you'll find more comments & links to the proper documentation. You can not do nothing in your code to prevent the system alert to appear, unless you downgrade the FB version.
Related
My current scenario is:
Running an iPhone on the latest iOS
LinkedIn App is installed and logged in
Web browser is NOT logged into LinkedIn (because I have the app)
Developing a web app with "log in with LinkedIn" functionality
On the iPhone, clicking the "log in with LinkedIn" button redirects me straight the the LinkedIn App, which subsequently does nothing - just shows me my feed. I have verified this same behaviour occurs on a third-party site as well as my own. Note that Android exhibits similar behaviour, though I haven't tested as extensively there.
I've found several workarounds:
If I open the web site in Private Browsing mode clicking the login button asks me if I want to open the App or stay in the browser.
If I long-press and "Open in background tab" the login button it'll open (in the background, of course) instead of redirecting to the app, allowing me to log in.
If I manually type "linkedin.com" into the browser and log in then it seems to work too.
None of these are even vaguely practical for end users, essentially forcing us to remove the option entirely.
I'm fairly sure this is a problem at LinkedIn's end and the solution is either:
Don't redirect to the App for OAuth Authorize requests, or
Make the App correctly handle OAuth Authorize requests.
If I'm incorrect and there's some way we can stop this redirect from the client side I'd be happy to hear, otherwise I hope LinkedIn engineers actually see this...
See the comments in Issues with Linkedin Social connection
LinkedIn already confirmed that it is a problem on their side.
I'm planning to switch an app from the old OAuth flow with the SFSafariViewController to the new flow with iOS 11's SFAuthenticationSession. Logging in isn't an issue, the transfer to the new API took me a few minutes to implement. However logging out has me baffled.
How?
I can't find any mentioning of wanting to offer the option of logging out anywhere in the docs. Using the old SFSafariViewController to invalidate the cookies? Nope, they're not shared anymore with SFAuthenticationSession. As soon as I restart the authentication session the user get's logged in automatically and there's no way out. So how to enable logging out? Or am I simply overlooking something completely obvious?
Update:
I found a "way that works" in a technical sense, but it's bonkers for the user: Open a new SFAuthenticationSession on the logout page that clears the cookie. But that means when logging out the alert view asks the user again whether he'd like to log in via the service. If yes is selected ("logging in"), the cookie clearing logout page is opened, the user has to manually dismiss the view, which can be caught by the completion handler and we know we can open the login view again.. displaying the login prompt to log out? I really don't like this solution.
Any ideas? Am I still overlooking a completely obvious solution?
Update 2: As no one has any clue about this issue so far, this is probably not an easy one. I have filed a suggestion with Apple via their report tool to either clarify how to handle this or build it into the API if not available. Will post if I get an answer.
Update 3: After pondering the issue a bit more we found another possible (although also unattractive) solution if you can influence the login page of the OAuth provider: make cookies very short lived. Then the login page can be opened without automatic log in. However this kills the whole purpose of sharing login sessions between apps.. and you need to be able to influence the login page.
Update 4: Since iOS 12 SFAuthenticationSession is deprecated and got replaced by ASWebAuthenticationSession. However ASWebAuthenticationSession does not change anything in regard to logging out. It's still not possible. Same issue as before.
With ASWebAuthenticationSession, setting .prefersEphemeralWebBrowserSession to true prior to calling .start() will force the user to enter credentials in the browser session. While not the same as logging out, this will allow a new user to login with different credentials when launching the next session.
Update November 2020: We used #react-native-community/cookies to clear cookies as a workaround. See the snipped below as an example.
import CookieManager from '#react-native-community/cookies';
CookieManager.clearAll().catch(e => alert("Error deleting cookies during logout"))
Previous answer from April 2020. This may be helpful for anybody struggling with this. I've spent few hours testing different options, going through apps and looking how they do it and reading forums/discussions.
I haven't find a way to programatically clear cookies and there is no documentation on Apple on this.
Using FB as an example. Logging out from Safari and deleting FB app doesn't help. Any app which is downloaded will not ask for login to FB if you logged in once before through ASWebAuthenticationSession or SFAuthenticationSession.
If users ask how to force login (even though it's not your problem as a developer) you can point them to: Settings -> Safari -> Advanced -> Website Data -> Remove All Website Data (or just the ones for the provider).
If your use case needs switching of users (like in my case where we use Azure AD and users share 1 phone) you have 2 options. A) Open ASWebAuthenticationSession with the logout endpoint (as mentioned, this is very weird UX). B) Open Safari as a separate app (not inside yours) and do login/logout there. Unfortunately, there is no way to redirect the user to your app after logout if the OAuth provider doesn't support redirect on logout.
It sucks because this prevents developers from creating nice experiences on iOS for use cases where a business needs to share device between multiple users and OAuth is used as identity provider.
One of the “best” solutions I have come across is to open a logout page in system Safari (not an SFSafariViewController). Because ASWebAuthenticationSession shares cookies reliably with Safari, the expired/deleted cookie then also affects the app.
See this GitHub page for more details.
It depends on which cookie stores your login info;
If it is a session cookie, then it is not shared with Safari as per https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
So, simply clear your local session, and the cookies will be cleared on the next app launch.
If not, and the cookie persists, then like Martin said above, you should open Safari (not SFSafariViewController) with your logout URL, then redirect back to your app.
Please let me know if you need more info. I have tested extensively with all 3 ways of authentication (ASWebAuthenticationSession, Safari, and SFSafariViewController).
For iOS 13.0 need to add SceneDelegate.swift for UISceneConfiguration
Also need to update appdelegate for UIScene implementation
Add UISceneSession Lifecycle
It is working fine this way SFAuthenticationSession issue resolved.
In one of our apps, we've already started using ASWebAuthenticationSession.
Our use case for this goes beyond just retrieving access and refresh tokens upon login. What I mean by this is, the same session cookie is used when opening the web app (whilst logged-in to the iOS app) in order to save the user from re-authenticating themselves again and again. Eventually, time comes when the user finally decides to log out of their account and may thereafter attempt to re-login again using a different account. Since the user's session cookie may still be alive by then, any re-login attempt only flashes the authentication screen momentarily, logging them in automatically back to their first account without giving them a chance to enter the credentials of the second account.
To really force the user to enter their credentials every time we present the authentication screen, we have to add to our Auth0 query params the prompt=login pair.
Here's what the URL would look like:
https://example.auth0.com/authorize?
client_id=abcd1234
&redirect_uri= https://example.com/callback
&scope=openid profile
&response_type=id_token
&prompt=login
You can find more info about this on this Auth0 doc: https://auth0.com/docs/authenticate/login/max-age-reauthentication
On iOS 11, Apple introduced a new way to share auth data between the web and a Mobile App with SFAuthenticationSession.
It would be a bad user experience to show the SFAuthenticationSession prompt to every new users - that might have never used my website - to have them agree and then get nothing out of it and have ask them to login.
The documentation is pretty empty on Apple side. This is the only example I found.
Is there a way to know if there is a cookie available before showing the SFAuthenticationSession prompt? Or maybe, with the Associated Domains enabled, when authenticating with my domain, the system should not show the prompt?
No. Even if there aren't cookies, the user can login entering his username/password and then clicking on "Login"/"Enter" on the website (E.g: Facebook, Instagram).
Accessing the cookies won't be enabled:
When the webpage is presented, it runs in a separate process, so the user and web service are guaranteed that the app has no way to gain access to the user’s credentials. Instead, the app gets a unique authentication token.
Official docs
Working example for Instagram-OAuth: https://github.com/dvdhpkns/SFAuthenticationSession-Instagram-Oauth
And the GitHub repo you added was posted by the author to send a bug report about errors in cookie sharing for local servers (rdar://33418129. Original tweet)
Are cookies shared between Safari and SFAuthenticationSession?
#DVDHPKNS
They’re supposed to be shared, but we have some timing bugs right now. Please do file bugs about what you’re seeing.
#rmondello (Apple employee)
P.S: They added more information to the docs since your original post date.
I have used latest FB SKD in my iOS app so users can use facebook account to login. Application open the FB app and comes back to my app perfectly fine. However, in some place in the app, i have to show/pull some people facebook page (safari based using WebView), but even user already used the Facebook account to login into my native ios app, but the page still ask user to login again and when they click login, it shows them the annoying FB username/pass page.
Is there anyway, that the FB safari based page can authenticate the user since it's already logged into my app using FB integration? do i have to include query or something. Please give me details how to solve this problem since i'm new in this..
thanks again for your help...
pic: https://www.dropbox.com/s/rjlptu7ufpcq3vl/fb.png
When the user switches to Facebook app to authenticate, it doesn't create a cookie for your UIWebView which is why it's asking to login again. Have the user authenticate inside the UIWebView without switching to the Facebook app.
What you're talking about also sounds like a similar thing that happens with Facebook dialogs not knowing about the current Facebook session.
If you authenticate your user via Facebook, try saying the Facebook object itself as an instance variable somewhere in memory so you can access it again (a property on a singleton controller, perhaps?).
Spawning dialogs from an authenticated Facebook object appears to let them use the dialog without reauthenticating iff you have a [FBSession activeSession]. So you'd also have to maintain an active FB session. But I'm not sure if this kind of solution will work since you didn't show specific code for how you're doing your web-based FB fetches.
This question might also prove helpful:
Implement Login with Facebook in iOS 5 and 6
I found two different FaceBook auth dialog while using two apps one is "Poker by Zynga" and other one is I am developing.
When I use FaceBook login in "Poker by Zynga" then Safari opens this page:
And when I use my app which is under development now, then Safari opens this page:
You can see both of these are two different pages. In Poker by Zynga, it says "Logged in as Vicky Gupta - Log Out" where user can choose Log Out to sign in as a different user. While in my app it says "You are logging into this app as Vicky Gupta", in this there is no Log Out button. The only way to log in as a different user to open FaceBook in Safari and then log out from there.
Does any one know why this difference is occurring ? am i missing something in FaceBook app settings? Or is this a normal behavior because I don't think so?
Note: I am using the latest FaceBook SDK (with graph api).
If you are using latest iOS Facebook SDK, I think to logout a user you just have to delete the token obtained by the Facebook main object.