User registration and authentication service for iOS app - ios

I have completed my iOS app and now want to have user registration and authentication functionality.
When the user opens the app it must ask them to register or login and then when the app closes it logs out. I want to send their basic details to my server e.g. name, location.
Is this allowed my Apple and does anyone know of a service that I could use as appose to reinventing the wheel?

It is allowed by Apple.
There are apps on App Store that do not implement their own register/login mechanism. Those apps ask their users to login via Facebook. So any user who has a Facebook account, can login to your app using their FB credentials. You would have to use the iOS SDK provided by Facebook.
It is always better to provide multiple login options to your app user, instead of just relying on Facebook or any other provider. Allow users to login via GMail, for example.
Adding support for OpenID is another good option. OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities. Users may create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication.

Related

App not showing in Google's manage third party apps section of user when users login using "Sign in with google"

I am providing sign in with google functionality on my application. Users are able to successfully login using that but my application is not showing in "Manage third party apps" section of user's google account when they login. So they do not have an option to revoke access for my app. Any ideas on what I am doing wrong here I want my app to be listed in users "Manage third party apps" section when they login successfully.
I think you are miss understanding what third party apps is. You may want to consult Manage third-party apps & services with access to your account
For example, you may download an app that helps you schedule workouts with friends. This app may request access to your Google Calendar and Contacts to suggest times and friends for you to meet up with.
Third party apps use Oauth2 to request your consent for the application to access your data. When you consent to this the application in question is given a token (refresh token) which will allow them to access your data until you revoke that access. They can access this data without you being there. So they could have something running every night to harvest your data. They have access even when you are offline. The way you revoke it is though the security page on your google account.
Sign-in does not grant any access in that manner. For signin to work you the user must be behind the machine when it is running. The application you signed into cant access your data when your offline.
There is no way for you to know which applications you have signed in using your google account. Unless they also requested some Oauth2 consent.
So again sign in is Open IdConnect and does not make it by itself a third party app. They have no access to your data after you are gone. Signin only works when the user is behind the machine.

App required(mandatory) Sign In With Apple or not?

My app offers regular email and password authentication as well as Facebook and Google login.

Apple guidelines say:
Apps that exclusively use a third-party or social login service (such
as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with
LinkedIn, Login with Amazon, or WeChat Login) to set up or
authenticate the user’s primary account with the app must also offer
Sign in with Apple as an equivalent option.

But my app does NOT EXCLUSIVELY use a third-part or social login service. It also uses our own email/ password method. In fact the email and password method is on top and thus assumed to be the main method of authentication. So I feel like this rule does not apply to my app.

Apple guidelines also say:
Sign in with Apple is not required if: Your app exclusively uses your
company’s own account setup and sign-in systems...

My app does NOT EXCLUSIVELY use third-party login services and does NOT EXCLUSIVELY use our own method. It uses both. 
So does my App required(mandatory) Sign In With Apple or not?
Apple updated the guidelines on March 4 to make it mandatory if you offer social login as an option. Note the removal of the word 'exclusive':
Apps that use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option.
It's quite simple answer..
If your app provides third-party login-register option (like Facebook, google, instagram, twitter, etc..) then "Sign In With Apple" required otherwise don't required.

Azure SaaS site - AD Authentication

We have hosted our application with third party authentication enabled using oAuth-OpenID connect which is working fine for Google and Facebook. Now we want to expose that to few users for testing purpose but we dont want the URL itself to be misused.
So, we added additional Authentication just to reach the site itself for preconfigured AD email addresses. But that was enabled directly in the Azure portal settings.
1) Once the user type the url in the browser, it takes to the microsoft login page. Enter the AD email address
2)It redirect to the site properly as expected
3)But here comes the problem, since the individual authentication already enabled for ather service providers, the AD token carried to the site and it started misbehaving
I want to provide AD authentication just to the entry for my site. But after that, it should not effective. How to achieve that
It seems that you want to expose the web app to specific Azure AD user for testing purpose.
If I understood correctly, in this scenario the web app can interact with Azure AD via OpenID connect just like the Google and Facebook instead using settings on Azure portal. And if you also doesn't want to Google and Facebook account could access the web app, you should remove the corresponding authentication middle-ware. And to limit the Azure AD user to access the web app, you can enable Enabled for users to sign-in feature like below:
Then we can add the users via Users and groups to enable the users we want to allow to access the web app.

Sharing oAuth Access Token in SDK

I'm creating an SDK which provides features that the official app uses. I want to enable oAuth login like Facebook. If a user signs up with Facebook in the official app, how can I have them log in to the same account from via the SDK that is integrated in another app?
Would I share the same access token across the SDK to all clients that implement it? Or is there a way to be able to allow the user to sign in via oAuth into an account that they created through the official app? My current thought is that we pull some ID (e.g. email address) and do a lookup to see if that email address exists in our database and work from there (which could be a pain if the user changes their email address).
Thank you

How would I tie a user auth'ed by 3rd party provider via ACAccountStore to a backend user obj in the cloud?

In general, what's the best practice to authenticate a user via 3rd party (say Twitter) using iOS's ACAccountStore and then tie it to an existing user in my own service assuming that they were logged in already? Can I access and store the account credentials remotely over ssl, or is there a better way?
And if they had to re-login via Twitter, I could just search for the user with that twitter handle to know what backend user is tied to this account, yes?
And lastly if I wanted to be able to login via a browser later on, I would get new oauth credentials for the webapp as well, but could search for a user with the same Twitter account info and store these credentials as well, and know that they all refer to the same person, correct?
What you're asking involves many levels of a system "stack" that are custom to a particular environment. What is "correct" vs "incorrect" is dependent upon the environment you've set up and are connecting to from your iOS app.
So from what it sounds like you're leveraging iOS's Twitter functionality to create a Single Sign On (SSO) experience. There are several guides on Twitter's site for doing what you want to accomplish:
Integrating with Twitter on iOS: Single Sign On
Using Reverse Auth to Get OAuth Tokens on iOS - you can then store these server-side
Migrating tokens to system accounts - how you get OAuth tokens from your webapp to iOS.

Resources