Browser Identity Provider

In case when user tries to register with an Indentity Provider (IdP) that is browser-based, the SDK needs to ask for an access grant to the Token Server via the browser. The app should use url returned in ONGBrowserRegistrationChallenge to ask for the access grant in a separate web browser.

Handling Browser Registration Challenge

When registering a user the application will receive a browser registration challenge containing a URL, which must be handled. The challenge will be passed as an argument to userClient:didReceiveBrowserRegistrationChallenge: method of your ONGRegistrationDelegate. This URL will redirect user to a web page where he can authenticate to his user account. When authentication is successful page will redirect you to your Redirect URL defined in token server application configuration.

The userClient:didReceiveBrowserRegistrationChallenge: method has two parameters:

  • userClient (ONGUserClient) user client performing registration.
  • challenge (ONGBrowserRegistrationChallenge) challenge containing URL used to perform a registration code request.

Challenge object represents browser registration challenge. It provides all information about the challenge and the sender awaiting for the response:

  • userProfile (ONGUserProfile) user profile for which registration request challenge was sent.
  • identityProvider (ONGIdentityProvider) identity provider used to register the user.
  • url (NSURL) URL used to perform a registration code request.
  • error (NSError) error describing cause of failure of previous challenge response. Possible error domains: ONGGenericErrorDomain.
  • sender (id<ONGBrowserRegistrationChallengeSender>) sender awaiting for response to the registration request challenge.

You can respond to the challenge using sender object by calling one of the following methods:

  • respondWithURL:challenge: - used to deliver the redirection URL to the SDK
  • cancelChallenge - used for registration cancelation

It's up to you how you want to handle this URL, however it's recommended to use a web browser like Safari or preferably embedded web browser like UIWebView.

We recommend to use an embedded UIWebView to open this URL because this is the least disruptive for the end-user and also benefits from the additional security measures included in the SDK. The SDK from release 2.3 and upwards is updated to intercept the URL requests from the embedded UIWebView and perform certificate pinning.

Handling Browser Registration URL with UIWebView

You can perform request using UIWebView by using its loadRequest method.

NSURLRequest *request = [NSURLRequest requestWithURL:self.browserRegistrationChallenge.url];
[self.webView loadRequest:request];

Web view should guide the user through authentication process and then redirect back to the application using the Redirect URL. In order to intercept this redirection its recommended to implement webView:shouldStartLoadWithRequest:navigationType: method on your UIWebViewDelegate. Example implementation:

-(BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType
{
    if ([request.URL.absoluteString hasPrefix:[OneginiConfigModel configuration][@"ONGRedirectURL"]]) {
        [self.browserRegistrationChallenge.sender respondWithURL:request.URL challenge:self.browserRegistrationChallenge];
        [self.navigationController dismissViewControllerAnimated:YES completion:nil];
        return NO;
    }
    return YES;
}

It's up to you when the web view will be closed. You could close it as soon as challenge sender receives redirection url, which is shown in the example or when yours ONGRegistrationDelege receives userClient:didReceivePinRegistrationChallenge:.

Handling Browser Registration URL with External Web Browser

In order to handle registration request using external web browser first you need to configure custom URL scheme.

After the user has authenticated he/she is redirected back to the app using a custom URL scheme. The app must add an active URL scheme to the info.plist file. Administration of the redirect URL (that includes the custom URL scheme) is done in the application configuration in the Token Server admin console.

Below you can see the contents of the URL Type configuration in Xcode:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleTypeRole</key>
<string>Editor</string>
<key>CFBundleURLName</key>
<string>com.onegini.OneginiSDKiOSTestApp</string>
<key>CFBundleURLSchemes</key>
<array>
<string>oneginisdk</string>
</array>
</dict>
</array>
</dict>
</plist>

Next, you need to open the URL using external web browser. You can you use openURL method of UIApplication shared instance.

- (void)userClient:(ONGUserClient *)userClient didReceiveBrowserRegistrationChallenge:(ONGBrowserRegistrationChallenge *)challenge
{
    [[UIApplication sharedApplication] openURL:challenge.url];
}

Redirection using a custom URL scheme must be implemented within your UIApplicationDelegate object. It's done by implementing one of the following methods:

  • application:openURL:options: - available from iOS 9
  • application:handleOpenURL: - deprecated, but available before iOS 9
  • application:openURL:sourceApplication: - deprecated, but available before iOS 9

Example implementation:

- (BOOL)application:(UIApplication *)application openURL:(NSURL *)url options:(NSDictionary<NSString*, id> *)options
{
    if ([request.URL.absoluteString hasPrefix:[OneginiConfigModel configuration][@"ONGRedirectURL"]]) {
        [self.browserRegistrationChallenge.sender respondWithURL:request.URL challenge:self.browserRegistrationChallenge];
        return YES;
    }
    return NO;
}