I am working on an enterprise iOS application. There will be multiple applications from the enterprise.
Wanted to check if Touch ID can be used as an SSO, so that the
user is authenticated for one of the enterprise app using Finger Print only once and other enterprise apps does not need to login again.
Is there any API for Touch ID that can be leveraged by other enterprise apps for this purpose.
Let me know if I need to share any other information.
Thanks in advance!
An app can use TouchID in one of two ways -
There is an API that returns a yes/no that indicates whether a valid finger print was presented when prompted. This could be used if you wanted the user to authenticate to the app locally. A "secret diary" app might use this for example
There is a second API that allows the use of TouchID to retrieve a value from the keychain. An app that requires authentication to some back-end might use this; The TouchID authentication is used to retrieve the username/password from the keychain which is then presented to the back-end. The user must log in manually the first time (and any time the password changes). If you have several apps that share a keychain via group entitlement then the credentials could be retrieved by any of those apps, but the user would need to use TouchID each time the credentials were retrieved. You could potentially achieve SSO across apps by using a federation protocol like OAuth/WS-* and sharing the session details so that the user only needed to TouchId the first time (and subsequently when the session expires)
Related
I'm pretty newbie in iOS development but I'm trying to figure out how to organize the authentication. I need the authentication because of 2 reasons:
In-app purchases
User can add his or her own data into common database.
I supposed that as soon as user downloaded my app he or she will be easier to use the Apple id to authenticate but I have no idea if it's possible to use Apple id in this situation and how to organize this authentication on my server.
For information: I'm going to use Node.js as a backend with MongoDB, hosted on Windows Azure portal.
The workflow is:
User downloads and runs my app
User uses it (without any authentication so far)
If user wants to add his new data and share it the data should be
sent to the server and user must enter some credentials.
User enters Apple id credentials (and user name under he wants to
share data?) and sends his data to the server.
Further if he wants to do app-in purchase he uses the same
credentials.
If it's even possible? If I can't use Apple credentials to send data to my server, if it's possible to use other credentials (my email, or OAuth) to make app-in purchase? I don't like to idea to make user enter different credentials twice.
Thanks!
I'm working on an iPhone app that is logging into a webservice and it's been asked of me to get the account login management into the settings page (i.e. next to Twitter, Facebook and Vimeo). From what I've been reading about the accounts framework, it appears that only those few companies have that ability.
I currently have it set up and working asking for login info periodically and polling the webservice for validation, but we're trying to move toward supporting moderately offline use, which means we need to have some sort of account info managed on the phone itself.
Can I use the built-in account framework for our own login credentials or is that not something that's available to a regular dev and I'll have to look for another way to do it on my own? Is that something that the keychain would be better for?
Using the keychain to securely store the users credentials is a good idea to start.
If I am understanding your question about a "built-in account framework", I don't believe there is a local framework for account management on the device itself that I am aware of that would be useful in this circumstance.
I've had to build an app that needed to authenticate to a web service that also needed to have some offline access. I ended up recording the validated authentication date and time in the NSUserDefaults and would let the user use the app for a 48 hours period before they had to re-authenticate. Their data was queued locally and when they had online access again, I would re-authenticate and then sync the data. Not the most elegant solution but it fit the project.
I used AFNetworking (http://afnetworking.com) to track the changes in network access and used to blocks to respond to the changes.
In general, what's the best practice to authenticate a user via 3rd party (say Twitter) using iOS's ACAccountStore and then tie it to an existing user in my own service assuming that they were logged in already? Can I access and store the account credentials remotely over ssl, or is there a better way?
And if they had to re-login via Twitter, I could just search for the user with that twitter handle to know what backend user is tied to this account, yes?
And lastly if I wanted to be able to login via a browser later on, I would get new oauth credentials for the webapp as well, but could search for a user with the same Twitter account info and store these credentials as well, and know that they all refer to the same person, correct?
What you're asking involves many levels of a system "stack" that are custom to a particular environment. What is "correct" vs "incorrect" is dependent upon the environment you've set up and are connecting to from your iOS app.
So from what it sounds like you're leveraging iOS's Twitter functionality to create a Single Sign On (SSO) experience. There are several guides on Twitter's site for doing what you want to accomplish:
Integrating with Twitter on iOS: Single Sign On
Using Reverse Auth to Get OAuth Tokens on iOS - you can then store these server-side
Migrating tokens to system accounts - how you get OAuth tokens from your webapp to iOS.
I am building a backend for ios apps, that support login in different networks.
Once the user login in to the network the client tells the news to the backend, and this could offer a list of worlds that the user might play, or even delete old worlds.
One way to steal another person's world is by saying that you are his social network id.
To solve that with facebook, we force the client to send us the fb_token, a token provided from facebook to the client, that we use in the backend to ask facebook if that specific user is the one that he told us to be.
If apple doesn't provide a way to validate this I understand that if an iOS app wants to use game center, it is directly forcing the app developer to also use iCloud because apple can validate the user credentials.
Did apple provide any way to validate user credentials?
The client on iOS can retrieve info about the currently logged in player in GameCenter, which has nothing to do with iCloud.
If you want to use iCloud to authenticate, you might have a different player than the one you wanted.
I think the solution is for the client to retrieve the player info in GameCenter, and send it to your server in an encrypted fashion (say HTTPS), including a timestamp and possibly other dynamic information. This way you'll know that the user info is being sent from the client app itself and there is no man-in-the-middle. That's really the issue that you are struggling with: how to ensure that client-server communication is secure.
The app should be uploading videos from iOS devices directly to our own YouTube account (not user's account).
In every scenario I came across you need an Access Token that you can get only from user logging in through OAuth2 (window popping up). Obviously, we can't give everyone username and password from company account. I was imagining using some key that uniquely identifies the app and YouTube user account to use.
Any solution / pointer? Thanks.
I ended up using deprecated Client Login. We still need to figure where to store passwords (either in the client app, or fetch them from backend every time), but that's already a huge progress.
Unfortunately, Google says Client Login will be removed in 2015. We can just hope they'll come up with non-interactive auth method requiring no user interaction by then.