Configuring iOS apps for OIDC sign-on

PingOne PingOne Advanced Identity Cloud PingAM OIDC-compliant servers iOS

You can configure your iOS apps to use your authorization server’s UI, or your own web application, for sign-on requests.

When a user attempts to log in to your app it redirects them to the central sign-on UI. After the user authenticates, the authorization server redirects them back to your application or site.

Changes to authentication journeys or flows on your authorization server are available to all your apps that use the OIDC sign-on method, without the need to rebuild or redistribute the app. Likewise, any rebranding applied to your central sign-on UI is reflected immediately in your client apps.

Your app doesn’t need to access user credentials directly, just the result of the authentication from the server—usually an access token.

To configure an iOS app to perform OIDC sign-on, complete each of the following steps:

Before you begin
Step 1. Configuring your app to handle redirects
Step 2. Installing modules
Step 3. Configuring connection properties
Step 4. Starting the OAuth 2.0 flow
Step 5. Obtaining an Access Token
Step 6. Revoking tokens and signing out

Before you begin

You need to prepare your server for OIDC sign-on. Select your server from the options below and complete the tasks before proceeding to configure your application.

PingOne
Advanced Identity Cloud
AM
PingFederate

This tutorial requires you to configure your PingOne server as follows:

Task 1. Create a demo user

The samples and tutorials in this documentation often require that you have an identity set up so that you can test authentication.

To create a demo user in PingOne, follow these steps:

Log in to your PingOne administration console.
In the left panel, navigate to Directory > Users.
Next to the Users label, click the plus icon ().

PingOne displays the Add User panel.
Enter the following details:
- Given Name = Demo
- Family Name = User
- Username = demo
- Email = demo.user@example.com
- Population = Default
- Password = Ch4ng3it!
Click Save.

Task 2. Register a public OAuth 2.0 client

To register a public OAuth 2.0 client application in PingOne for use with the Orchestration SDKs for Android and iOS, follow these steps:

Log in to your PingOne administration console.
In the left panel, navigate to Applications > Applications.
Next to the Applications label, click the plus icon ().

PingOne displays the Add Application panel.
In Application Name, enter a name for the profile, for example sdkNativeClient
Select Native as the Application Type, and then click Save.
On the Configuration tab, click the pencil icon ().
1. In Grant Type, select the following values:
  
  Authorization Code
  
  Refresh Token
2. In Redirect URIs, enter the following values:
  
  com.example.demo://oauth2redirect
3. In Token Endpoint Authentication Method, select None.
4. In the Advanced Settings section, enable Terminate User Session by ID Token.
5. Click Save.
On the Resources tab, next to Allowed Scopes, click the pencil icon ().
1. In Scopes, select the following values:
  
  email
  
  phone
  
  profile
  
  The openid scope is selected by default.
  
  The result resembles the following:
  
  Figure 1. Adding scopes to an application.
Optionally, on the Policies tab, click the pencil icon () to select the authentication policies for the application.

Applications that have no authentication policy assignments use the environment’s default authentication policy to authenticate users.

If you have a DaVinci license, you can select PingOne policies or DaVinci Flow policies, but not both. If you do not have a DaVinci license, the page only displays PingOne policies.

To use a PingOne policy:
1. Click Add policies and then select the policies that you want to apply to the application.
2. Click Save.
  
  PingOne applies the policies in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements are not met, PingOne moves to the next one.
  
  For more information, see Authentication policies for applications.
To use a DaVinci Flow policy:
1. You must clear all PingOne policies. Click Deselect all PingOne Policies.
2. In the confirmation message, click Continue.
3. On the DaVinci Policies tab, select the policies that you want to apply to the application.
4. Click Save.
  
  PingOne applies the first policy in the list.
Click Save.
Enable the OAuth 2.0 client application by using the toggle next to its name:

Figure 2. Enable the application using the toggle.

The application is now configured to accept client connections from and issue OAuth 2.0 tokens to the Android and iOS PingOne example applications and tutorials covered by this documentation.

This tutorial requires you to configure your PingOne Advanced Identity Cloud tenant as follows:

Task 1. Create a demo user

The samples and tutorials in this documentation often require that you have an identity set up so that you can test authentication.

To create a demo user in PingOne Advanced Identity Cloud, follow these steps:

Log in to your PingOne Advanced Identity Cloud tenant.
In the left panel, click Identities > Manage.
Click New Alpha realm - User.
Enter the following details:
- Username = demo
- First Name = Demo
- Last Name = User
- Email Address = demo.user@example.com
- Password = Ch4ng3it!
Click Save.

Task 2. Register a public OAuth 2.0 client

Public clients do not use a client secret to obtain tokens because they are unable to keep them hidden. The Orchestration SDKs commonly use this type of client to obtain tokens, as they cannot guarantee safekeeping of the client credentials in a browser or on a mobile device.

To register a public OAuth 2.0 client application for use with the SDKs in PingOne Advanced Identity Cloud, follow these steps:

Log in to your PingOne Advanced Identity Cloud tenant.
In the left panel, click Applications.
Click Custom Application.
Select OIDC - OpenId Connect as the sign-in method, and then click Next.
Select Native / SPA as the application type, and then click Next.
In Name, enter a name for the application, such as Public SDK Client.
In Owners, select a user that is responsible for maintaining the application, and then click Next.

When trying out the SDKs, you could select the demo user you created previously.
In Client ID, enter sdkPublicClient
Select Configure for SDK Sample Apps.
Click Create Application.

PingOne Advanced Identity Cloud creates the application and displays the details screen.
On the Sign On tab:
1. In Sign-In URLs, ensure the following values appear, or add them if they don’t:
  
  com.example.demo://oauth2redirect
  
  https://demo.example.com/oauth2redirect
  
  Also add any other domains where you host SDK applications.
2. In Grant Types, ensure the following values appear:
  
  Authorization Code
  
  Refresh Token
3. In Scopes, ensure the following values appear:
  
  openid profile email address
Click Show advanced settings, and on the Authentication tab, confirm the following properties:
1. In Token Endpoint Authentication Method, select none.
2. In Client Type, select Public.
3. Enable the Implied Consent property.
Click Save.

The application is now configured to accept client connections from and issue OAuth 2.0 tokens to the example applications and tutorials covered by this documentation.

Task 3. Configure the OAuth 2.0 provider

The provider specifies the supported OAuth 2.0 configuration options for a realm.

To ensure the PingOne Advanced Identity Cloud OAuth 2.0 provider service is configured for use with the Orchestration SDKs, follow these steps:

In your PingOne Advanced Identity Cloud tenant, navigate to Native Consoles > Access Management.
In the left panel, click Services.
In the list of services, click OAuth2 Provider.
On the Core tab, ensure Issue Refresh Tokens is enabled.
On the Consent tab, ensure Allow Clients to Skip Consent is enabled.
Click Save Changes.

This tutorial requires you to configure your AM server as follows:

Task 1. Create a demo user

The samples and tutorials in this documentation often require that you have an identity set up so that you can test authentication.

To create a demo user in PingAM, follow these steps:

Log in to the PingAM admin UI as an administrator.
Navigate to Identities, and then click Add Identity.
Enter the following details:
- User ID = demo
- Password = Ch4ng3it!
- Email Address = demo.user@example.com
Click Create.

Task 2. Register a public OAuth 2.0 client

To register a public OAuth 2.0 client application for use with the SDKs in AM, follow these steps:

Log in to the PingAM admin UI as an administrator.
Navigate to Applications > OAuth 2.0 > Clients, and then click Add Client.
In Client ID, enter sdkPublicClient.
Leave Client secret empty.
In Redirection URIs, enter the following values:

com.example.demo://oauth2redirect

https://demo.example.com/oauth2redirect

Also add any other domains where you will be hosting SDK applications.
In Scopes, enter the following values:

openid profile email address
Click Create.

PingAM creates the new OAuth 2.0 client, and displays the properties for further configuration.
On the Core tab:
1. In Client type, select Public.
2. Disable Allow wildcard ports in redirect URIs.
3. Click Save Changes.
On the Advanced tab:
1. In Grant Types, enter the following values:
  Authorization Code Refresh Token
2. In Token Endpoint Authentication Method, select None.
3. Enable the Implied consent property.
Click Save Changes.

Task 3. Configure the OAuth 2.0 provider

The provider specifies the supported OAuth 2.0 configuration options for a realm.

To ensure the PingAM OAuth 2.0 provider service is configured for use with the Orchestration SDKs, follow these steps:

Log in to the PingAM admin UI as an administrator.
In the left panel, click Services.
In the list of services, click OAuth2 Provider.
On the Core tab, ensure Issue Refresh Tokens is enabled.
On the Consent tab, ensure Allow Clients to Skip Consent is enabled.
Click Save Changes.

This tutorial requires you to configure your PingFederate server as follows:

Task 1. Register a public OAuth 2.0 client

OAuth 2.0 client application profiles define how applications connect to PingFederate and obtain OAuth 2.0 tokens.

To allow the Orchestration SDKs to connect to PingFederate and obtain OAuth 2.0 tokens, you must register an OAuth 2.0 client application:

Log in to the PingFederate administration console as an administrator.
Navigate to Applications OAuth Clients.
Click Add Client.

PingFederate displays the Clients | Client page.
In Client ID and Name, enter a name for the profile, for example sdkPublicClient

Make a note of the Client ID value, you will need it when you configure the sample code.
In Client Authentication, select None.

In Redirect URIs, add the following:

com.example.demo://oauth2redirect

https://demo.example.com/oauth2redirect

Also add any other URLs where you host SDK applications.

Failure to add redirect URLs that exactly match your client app’s values can cause PingFederate to display an error message such as Redirect URI mismatch when attempting to end a session by redirecting from the SDK.

In Allowed Grant Types, select the following values:

Authorization Code

Refresh Token

In the OpenID Connect section:

In Logout Mode, select Ping Front-Channel

In Front-Channel Logout URIs, add the following:

com.example.demo://oauth2redirect

https://demo.example.com/oauth2redirect

Also add any other URLs that redirect users to PingFederate to end their session.

Failure to add sign off URLs that exactly match your client app’s values can cause PingFederate to display an error message such as invalid post logout redirect URI when attempting to end a session by redirecting from the SDK.

In Post-Logout Redirect URIs, add the following:

com.example.demo://oauth2redirect

https://demo.example.com/oauth2redirect

Click Save.

After changing PingFederate configuration using the administration console, you must replicate the changes to each server node in the cluster before they take effect.

In the PingFederate administration console, navigate to System > Server > Cluster Management, and click Replicate.

The application is now configured to accept client connections from and issue OAuth 2.0 tokens to the Orchestration SDK PingFederate example applications and tutorials covered by this documentation.

Task 2. Configure CORS

Cross-origin resource sharing (CORS) lets user agents make cross-domain server requests. In PingFederate, you can configure CORS to allow browsers or apps from trusted domains to access protected resources.

To configure CORS in PingFederate follow these steps:

Log in to the PingFederate administration console as an administrator.
Navigate to System OAuth Settings Authorization Server Settings.
In the Cross-Origin Resource Sharing Settings section, in the Allowed Origin field, enter any DNS aliases you use for your SDK apps.

This documentation assumes the following configuration:

Property Values

Allowed Origin

com.example.demo://oauth2redirect

Property	Values
`Allowed Origin`	`com.example.demo://oauth2redirect`

Click Save.

After changing PingFederate configuration using the administration console, you must replicate the changes to each server node in the cluster before they take effect.

In the PingFederate administration console, navigate to System > Server > Cluster Management, and click Replicate.

Your PingFederate server is now able to accept connections from origins hosting apps built with the Orchestration SDKs.

Step 1. Configuring your app to handle redirects

After completing authentication in the browser, the server redirects the user back to your application, by using the value of the redirect_uri parameter.

You need to configure your app to open and accept the data the server sends as part of the redirect.

There are two methods for configuring an Android app to handle redirect URIs. To ensure that only your app is able to obtain authorization tokens during centralized sign-on we recommend you configure it to use Universal Links.

If you don’t want to implement Universal Links, you can instead use a custom scheme for your redirect URIs.

Apple Universal Links
Custom scheme

You can configure your iOS app to open and handle redirects that use the HTTPS protocol.

Using this method, your redirect URI will resemble the following:

https://demo.example.com/oauth2redirect

To configure universal Links in an iOS application, perform the following steps:

In Xcode, in the Project Navigator, double-click your application to open the Project pane.
On the Signing & Capabilities tab, click Capability, type Associated Domains, and then double click the result to add the capability.
In Domains, click the Add () button, and enter applinks:, followed by the hostname that will be used in your redirect URIs.

The host value must match the domain where you upload the apple-app-site-association file.

Create or update an apple-app-site-association file that associates your app with the domain.

You must host the file in a .well-known folder on the same host that you entered in the intent filter earlier.

The file will resemble the following:

https://ios.example.com/.well-known/apple-app-site-association

{
  "applinks": {
      "details": [
           {
             "appIDs": [ "XXXXXXXXXX.com.example.AppName" ],
             "components": [
               {
                  "/": "/oauth2redirect",
                  "comment": "Associate my app with the OAuth 2.0 redirect URI."
               }
             ]
           }
       ]
   }
}

Upload the completed file to the domain that matches the host value you configured in the earlier step.

For information on uploading an apple-app-site-association file to an Advanced PingOne Advanced Identity Cloud instance, refer to Upload an iOS apple-app-site-association file.

For learn more information about Universal Links and associating domains, refer to the following in the Apple Developer documentation:
- Supporting universal links in your app
- Supporting associated domains
Add the Universal Link to the Redirection URIs property of your OAuth 2.0 client. For example, https://demo.example.com/oauth2redirect

You can configure your iOS app to open and handle redirects that use a custom scheme, rather than HTTPS.

Using this method, your redirect URI will resemble the following:

com.example.demo://oauth2redirect

To configure a custom scheme in an iOS application, perform the following steps:

In Xcode, in the Project Navigator, double-click your application to open the Project pane.
On the Info tab, in the URL Types panel, configure your custom URL scheme:
Add the custom URL scheme to the Redirect URIs property of your OAuth 2.0 client.

In an Advanced Identity Cloud tenant, enter redirect URIs in the Sign-in URLs field, in the General Settings pane.

Step 2. Installing modules

To use the DaVinci client for iOS, use Swift Package Manager (SPM) or Cocoapods to add the dependencies to your project.

SPM (Swift Package Manager)
CocoaPods

You can install packages by using SPM (Swift Package Manager) on the iOS project.

In Xcode, in the Project Navigator, right-click your project, and then click Add Package Dependencies….
In the Search or Enter Package URL field, enter the URL of the repo containing the DaVinci Client for iOS, https://github.com/ForgeRock/ping-ios-sdk.git.
In Add to Project, select the name of your project, and then click Add Package.

Xcode shows a dialog containing the libraries available in the OIDC module for iOS.
Select the PingOidc library, and in the Add to Target column select the name of your project.
Repeat the previous step for any other OIDC module libraries you want to add to your project.
Click Add Package.

Xcode displays the chosen libraries and any prerequisites they might have in the Package Dependencies pane of the Project Navigator.

If you don’t already have CocoaPods, install the latest version.
If you don’t already have a Podfile, in a terminal window, run the following command to create a new Podfile:
```
pod init
```
Add the following lines to your Podfile:
```
pod 'PingOidc'
```
Run the following command to install pods:
```
pod install
```

Step 3. Configuring connection properties

Configure the PingOidc module to connect to your OpenID Connect 1.0-compliant authorization server:

Required parameters to configure the PingOidc module

public let oidcLogin = OidcWeb.createOidcWeb { config in
    config.module(PingOidc.OidcModule.config) { oidcValue in
        oidcValue.discoveryEndpoint = "https://auth.pingone.ca/3072206d-c6ce-ch15-m0nd-f87e972c7cc3/as/.well-known/openid-configuration"
        oidcValue.clientId = "6c7eb89a-66e9-ab12-cd34-eeaf795650b2"
        oidcValue.redirectUri = "https://demo.example.com/oauth2redirect"
        oidcValue.scopes = ["openid", "email", "address", "profile", "phone"]
    }
}

Update the following properties with values that match your environment:

discoveryEndpoint

The .well-known endpoint from your OAuth 2.0 application.

How do I find my PingOne .well-known URL?

To find the .well-known endpoint for an OAuth 2.0 client in PingOne:

Log in to your PingOne administration console.
Go to Applications > Applications, and then select your OAuth 2.0 client.

For example, sdkPublicClient.
On the Overview tab, expand the Connection Details section, and then copy the OIDC Discovery Endpoint value.

How do I form my PingFederate .well-known URL?

To form the .well-known endpoint for a PingFederate server:

Log in to your PingFederate administration console.
Navigate to System Server Protocol Settings.
Make a note of the Base URL value.

For example, https://pingfed.example.com

Do not use the admin console URL.
Append /.well-known/openid-configuration after the base URL value to form the .well-known endpoint of your server.

For example, https://pingfed.example.com/.well-known/openid-configuration.

The SDK reads the OAuth 2.0 paths it requires from this endpoint.

How do I find my PingOne Advanced Identity Cloud .well-known URL?

You can view the .well-known endpoint for an OAuth 2.0 client in the PingOne Advanced Identity Cloud admin console:

Log in to your PingOne Advanced Identity Cloud administration console.
Click Applications, and then select the OAuth 2.0 client you created earlier. For example, sdkPublicClient.
On the Sign On tab, in the Client Credentials section, copy the Discovery URI value.

For example, https://openam-forgerock-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration

If you are using a custom domain, your .well-known is formed as follows:

https://<custom-domain-fqdn>/.well-known/openid-configuration

Learn more in Access OIDC configuration discovery endpoint.

How do I find my PingAM .well-known URL?

To form the .well-known URL for an PingAM server, concatenate the following information into a single URL:

The base URL of the PingAM component of your deployment, including the port number and deployment path.

For example, https://openam.example.com:8443/openam
The string /oauth2
The hierarchy of the realm that contains the OAuth 2.0 client.

You must specify the entire hierarchy of the realm, starting at the Top Level Realm. Prefix each realm in the hierarchy with the realms/ keyword.

For example, /realms/root/realms/customers

If you omit the realm hierarchy, the top level ROOT realm is used by default.
The string /.well-known/openid-configuration

For example, https://openam.example.com:8443/openam/oauth2/realms/root/.well-known/openid-configuration

For example, https://auth.pingone.ca/3072206d-c6ce-ch15-m0nd-f87e972c7cc3/as/.well-known/openid-configuration

clientId

The client ID of your OAuth 2.0 application.

For example, 6c7eb89a-66e9-ab12-cd34-eeaf795650b2

redirectUri

The redirect URI as configured in the OAuth 2.0 client profile.

This value must exactly match one of the values configured in your OAuth 2.0 client.

For example:

Universal link / HTTPS redirect URI:: https://demo.example.com/oauth2redirect
Custom scheme redirect URI:: com.example.demo://oauth2redirect

scopes

The scopes you added to your OAuth 2.0 application.

For example, "openid", "email", "address", "profile", "phone"

You can pass optional OAuth 2.0 parameters into configuration to affect the sign-on flow on the server.

Adding optional parameters when configuring the PingOidc module

public let oidcLogin = OidcWeb.createOidcWeb { config in
    config.module(PingOidc.OidcModule.config) { oidcValue in
        oidcValue.discoveryEndpoint = "https://auth.pingone.ca/3072206d-c6ce-ch15-m0nd-f87e972c7cc3/as/.well-known/openid-configuration"
        oidcValue.clientId = "6c7eb89a-66e9-ab12-cd34-eeaf795650b2"
        oidcValue.redirectUri = "https://demo.example.com/oauth2redirect"
        oidcValue.scopes = ["openid", "email", "address", "profile", "phone"]
        oidcValue.acrValues = "Single_Factor%20Multi_Factor"
        oidcValue.loginHint = "demo.user@example.com"
        oidcValue.additionalParameters = ["myCustomParam" : "myCustomValue"]
    }
}

For example, you can add the following parameters:

acrValues: An optional space-separated list of Authentication Context Class Reference (acr) values, in order of preference.

The server can use these values to help determine how the user should be authenticated.

For example, you can specify a DaVinci flow policy ID, or PingOne policy names to request that PingOne follows a particular path to authenticate the user.

The Orchestration SDK sends this as the acr_values parameter in the authentication request, as per the specification.
loginHint: An optional string that lets the server know what identifier the user might use to authenticate with.

The server can use this to pre-populate a sign-on form, or to customize the UI to match a particular brand or organization.

The Orchestration SDK sends this as the login_hint parameter in the authentication request, as per the specification.
additionalParameters: Add any additional key-value query parameters your environment might require to complete an OAuth 2.0 flow.

Learn more about OAuth 2.0 authentication request parameters in Authentication Request, in the OpenID Connect Core 1.0 specification.

Configure the browser type used for OIDC sign-on

You can configure the type of browser iOS uses for the OIDC sign-on flow, by adding the browserType property to the PingOIDC module configuration:

Required parameters to configure the PingOidc module

public let oidcLogin = OidcWeb.createOidcWeb { config in
    config.browserType = .authSession
    config.module(PingOidc.OidcModule.config) { oidcValue in
        oidcValue.discoveryEndpoint = "https://auth.pingone.ca/3072206d-c6ce-ch15-m0nd-f87e972c7cc3/as/.well-known/openid-configuration"
        oidcValue.clientId = "6c7eb89a-66e9-ab12-cd34-eeaf795650b2"
        oidcValue.redirectUri = "https://demo.example.com/oauth2redirect"
        oidcValue.scopes = ["openid", "email", "address", "profile", "phone"]
    }
}

Each browser type has different characteristics, which make them suitable to different scenarios, as outlined in this table:

Browser type

Characteristics

.authSession

Opens a web authentication session browser.

Designed specifically for authentication sessions, however it prompts the user before opening the browser with a modal that asks them to confirm the domain is allowed to authenticate them.

This is the default option in the Orchestration SDK for iOS.

.ephemeralAuthSession

Opens a web authentication session browser, but enables the prefersEphemeralWebBrowserSession parameter.

This browser type does not prompt the user before opening the browser with a modal.

The difference between this and .authSession is that the browser does not include any existing data such as cookies in the request, and also discards any data obtained during the browser session, including any session tokens.

When is ephemeralAuthSession suitable:

ephemeralAuthSession is not suitable when you require single sign-on (SSO) between your iOS apps, as the browser will not maintain session tokens.
ephemeralAuthSession is not suitable when you require a session token to log a user out of the server, for example for logging out of PingOne, as the browser will not maintain session tokens.
Use ephemeralAuthSession when you do not want the user’s existing sessions to affect the authentication.

Step 4. Starting the OAuth 2.0 flow

The PingOidc module provides the authorize() method, which launches the web browsers and starts the OAuth 2.0 flow.

Start the OAuth 2.0 flow by using the authorize() method

let state = try await oidcLogin.authorize()

// Handle the state
switch oidcLogin.state {
case .success( _ ):
    ...
case .failure(let error):
    ...
case .none:
    ...
}

You can inject or override OAuth 2.0 parameters, and pass custom key-pair values when starting the OAuth 2.0 flow with the authorize() method.

Adding parameters when using the authorize() method

let state = try await oidcLogin.authorize { options in
    options.acrValues = "Single_Factor%20Multi_Factor"
    options.loginHint = "demo.user@example.com"
    options.additionalParameters = ["myCustomParam" : "myCustomValue"]
}

Step 5. Obtaining an Access Token

After successfully starting the OAuth 2.0 flow and authenticating the user, the server redirects control back to your application. Your application receives the OAuth 2.0 code and state parameters it needs to continue the flow and obtain an access token.

To obtain an access token on behalf of a user, follow these steps:

Create an object that represents a user’s authentication session by using the oidcLoginUser() method:
Create a user object by calling the oidcLoginUser() method
```
let oidcLoginUser = await oidcLogin.oidcLoginUser()
```
Retrieve a token on behalf of the user by calling the token() method on your oidcLoginUser object, and handle the result:
Obtain an access token for a user by calling oidcLoginUser.token() and handle the result
```
let token = await oidcLoginUser.token()
```

Step 6. Revoking tokens and signing out

You can call the following methods on your oidcLoginUser object to revoke OAuth 2.0 tokens, and sign out the user from the server:

oidcLoginUser?.revoke(): Revokes the OAuth 2.0 tokens on the server, and deletes them from storage.
oidcLoginUser?.logout(): Removes an session tokens the user may have, and contacts the server to end the user’s session.