Displaying account page for Mobile app with AppAuth-iOS

Hello,

We are integrating Keycloak for our organization for some REST services, web and mobile apps (iOS and Android). From the iOS side for the now, we use AppAuth-iOS SDK which effectively allows some users to authenticate themself via a Webview (underlying by using a instance of SFSafariViewController class).

For the account management page, we want to display the account page (/account) via the SFSafariViewController (as preconised from the RFC) but when this page is displayed, the user have to authenticate again because the session cookies was lost in the previous authentication context.
To be note that we cannot get back the generated Keycloak cookies provided from the authentication context. because SFSafariViewController seems not propose this feature.

Have you had any experience or suggestion on both the mobile app and backend side?

Thanks for reading,

Can you get the access token? Does SFSafariViewController allow you to set cookies? If so, you just need to set the access token to the KEYCLOAK_IDENTITY cookie for the account session.

The relevant code that checks that cookie is here keycloak/AuthenticationManager.java at master · keycloak/keycloak · GitHub

Can you get the access token?

Yes we do, but we cannot set the KEYCLOAK_IDENTITY cookie in the SFSafariViewController context. We shall test with WKWebView this afternoon, but the recommendation advises that we should avoid to do like that.

Stay tuned!

Thank you xgp

I don’t know if it would be a security problem to have it in a GET request, but if you can tell SFSafariViewController what URL you want to go to, you could give it something like https://<host>/auth/admin/realms/<realm>/<some_custom_rest_endpoint>?cookie=<access_token>, then you can implement a custom REST endpoint on the Keycloak side that responds with a redirect to the account console with a Set-Cookie header. Bit hacky, but it might work.

1 Like

Yep, it’s a good idea. For that we could even use POST under TLS for better security?

Sure, if you can tell SFSafariViewController to do a POST. Try it and report back if it works!

Yes I just cheked and indeed SFSafariViewController is only a “browser”.

Hello @xgp

it works!

I developed a custom endpoint which use AuthenticationManager.createLoginCookie(session, realm, user, userSession, uriInfo, clientConnection); method fot creating of the KEYCLOAK_IDENTITY cookie. To be note that the /account page needs cookie containing a token typed Serialized-ID and not Bearer as I thought previously.

Thank you for your help,
Ulrich

1 Like

Glad it worked. Thanks for sharing how you did it, as I’m sure someone will want to do the same thing in the future.

1 Like