12

On iOS 11, Apple introduced a new way to share auth data between the web and a Mobile App with SFAuthenticationSession.

It would be a bad user experience to show the SFAuthenticationSession prompt to every new users - that might have never used my website - to have them agree and then get nothing out of it and have ask them to login.

The documentation is pretty empty on Apple side. This is the only example I found.

Is there a way to know if there is a cookie available before showing the SFAuthenticationSession prompt? Or maybe, with the Associated Domains enabled, when authenticating with my domain, the system should not show the prompt?

Ortwin Gentz
  • 52,648
  • 24
  • 135
  • 213
Ludovic Landry
  • 11,606
  • 10
  • 48
  • 80

1 Answers1

2

No. Even if there aren't cookies, the user can login entering his username/password and then clicking on "Login"/"Enter" on the website (E.g: Facebook, Instagram).

Accessing the cookies won't be enabled:

When the webpage is presented, it runs in a separate process, so the user and web service are guaranteed that the app has no way to gain access to the user’s credentials. Instead, the app gets a unique authentication token. Official docs

Working example for Instagram-OAuth: https://github.com/dvdhpkns/SFAuthenticationSession-Instagram-Oauth


And the GitHub repo you added was posted by the author to send a bug report about errors in cookie sharing for local servers (rdar://33418129. Original tweet)

Are cookies shared between Safari and SFAuthenticationSession? @DVDHPKNS

They’re supposed to be shared, but we have some timing bugs right now. Please do file bugs about what you’re seeing. @rmondello (Apple employee)

P.S: They added more information to the docs since your original post date.

nathan
  • 9,329
  • 4
  • 37
  • 51
  • So does that mean that for now whenever SFAuthenticationSession is called an alert will be displayed ? and there is no way to avoid it ? – user3752049 Aug 07 '17 at 13:13
  • 1
    It's like a regular permission (E.g: Camera, Notifications, etc.) so there's no way to avoid it afaik since it's part of the authorization flow. From the docs: ` users are prompted by a dialog to give explicit consent` – nathan Aug 07 '17 at 17:00
  • 3
    Yes you are right but for camera and notifications etc it is a one time prompt. With SFAuthenticationSession though the prompt is displayed every time. Maybe I am doing something wrong. – user3752049 Aug 08 '17 at 08:26
  • No, you are right: SFAuthenticationSession will require the user to accept each time. – nathan Aug 08 '17 at 17:28