Security concerns for using FBSDKLoginManager for IOS - ios

According to Facebook docs, Facebook login for IOS provide "FBSDKLoginManager" - which directly call into the API to perform login or additional authorizations with your own UI.
https://developers.facebook.com/docs/facebook-login/ios#login-apicalls
If an application uses its own login UI, it can potentially steals user credentials typed into it. That seems violates the purpose of OAuth2.0/OpenID to make authentication mechanisms and credentials independent from the client/app.
I'm wondering why there is a "FBSDKLoginManager" and what is the right use case for it?

The phrase "with your own UI" was referring to the UI elements that trigger the login flow (such as a custom login button). The authentication exchange still occurs over Facebook UI (i.e., the login manager will typically app switch to the native Facebook app if installed, or to the Safari browser).

Related

Application that uses another for authentication - anyway to circumvent using their login page?

I'm writing an application (AppA) that relies on another application (AppB) to verify authentication (since ultimately AppA runs utilities against AppB - and is used by users of AppB).
AppB implements OAuth 1.0a. We can use OAuth to authenticate against it by re-directing users of our app to the AppB login screen, and once they login they are returned to our application.
However, if possible it would be good to present our own login interface instead of using AppB's. Is there anyway to do this safely? I know we can intercept their credentials and pass it to AppB in the background and login for them, but this seems frowned upon, and wondering if there is any way or mechanism to do this safely? Or is this something we should not do at any cost and the login redirect is the only real method with OAuth 1.0a?
Thank you,

iOS w/ native Okta login - open link in embedded WKWebView

I have an iOS app, using a native login, based on the custom example.
This works perfect and I am happy with it.
I have a requirement to open an embedded WKWebView within my app, that SSO’s a user in.
The url looks something like this:
https://{my-okta-org}.com/app/{some-okta-app-id}/exkms5nzsh0tD0kO10h7/sso/saml?RelayState={some-relay-state}
When I launch this however within my web view, I am redirected to an Okta login page. I would expect this really as the embedded view has no context of the authenticated session.
How can I set my session against this webview without asking the user to sign in again? As I have used the native login, I do not have a cookie set, so I suspect I will need to request one but am unsure of the flow required in this case.
I would recommend to not use WKWebView for SSO 1.Not secure, using javascript you can get user login and password 2.Cookies not share between your session and Safari(you are loosing all SSO magic) 3.WKWebView has problems with cookie synchronizing Apple thread and you need manually manage your cookies

Via the api, can I force the user to login to reddit?

I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.

How to know user has already done Facebook login at iOS app

I am developing iOS App which use Facebook iOS SDK 4.
When user has already done Facebook login, by doing Facebook login the dialog which shows "user has already approved your app" had be displayed.
So, do not show the dialog. I want to know whether the user has already done Facebook login.
Anyone know the good way? I think accessToken is returned if user once had done Facebook login.
FBSDKAccessToken manage current logged user's accessToken.
According to official Facebook Login guide
"FBSDKAccessToken Represents the access token provided by a successful login. Most important, it provides a global +currentAccessToken to represent the currently logged in user."
The currentAccessToken is a convenient representation of the token of the current user and is used by other SDK components (like FBSDKLoginManager).
According to above you can check either user has valid accessToken or not and based on this you can track call login method otherwise just skip to next flow.
In Facebook the access tokens are per user so you can pass them around apps and they will work. In your case if you can ship an access token from another app you will be able to skip the next logging in and use the API normally.
However I think this this thread will help you.
Things are a little bit different with iOS cause I have done a facebook login on Android and got no such issues.

Force Authentication in Facebook

we are running into an issue that once our users are login in the app and are authenticated thru the oauth flow the authentication page is never being displayed again, in that way user cannot switch account if needed. We are using a popup display mode (which does not provide options to switch user) and "switch user" small button in top right side of the screen is not appearing in our mobile small screen devices (as Iphones). We tried the auth_type=reauthenticate but it does not provide any option to switch user in popup mode either. We can´t control user´s cookies as well so there is not how to delete them. Is there any way to always ask user to reathenticate during all oauth requests allowing user to switch accounts?
If Facebook has implemented OpenID Connect correctly, try to add prompt=login or prompt=select_account to your authorization request. See "3.1.2.1. Authentication Request" in OpenID Connect Core 1.0 for details.

Resources