Auth0 Swift SDK .authentication()。login返回无效令牌
[英]Auth0 Swift SDK .authentication().login returning invalid token
问题描述
I recently began a new project that uses Auth0 in which I am adding an iOS app to an existing web app project. 
我最近开始了一个使用Auth0的新项目,其中将一个iOS应用添加到现有的Web应用项目中。 The web app uses a machine to machine Auth0 app and we have added a Auth0 native app to handle the iOS authentication. 该网络应用使用一台机器来处理Auth0应用,并且我们添加了Auth0本机应用来处理iOS身份验证。
Everything is working as expected if I use the .webauth() call. 如果我使用.webauth()调用,一切都会按预期进行。 The webauth returns a valid token and through breakpoints I have followed the code to see that it goes through the PKCE process. webauth返回一个有效的令牌,并通过断点跟踪代码,以确保它通过了PKCE流程。
The issue I am wondering about is if it is possible to use the Swift SDK and .authentication().login to get a valid token so I can create a custom login page. 我想知道的问题是,是否可以使用Swift SDK和.authentication()。login来获取有效令牌,以便创建自定义登录页面。 The designers requirements are such that custom is what we need. 设计人员的要求是定制是我们需要的。
Currently if I just use the .authentication().login call it returns an invalid token. 当前,如果我只使用.authentication()。login调用,它将返回无效的令牌。 I can see that this flow does not follow PKCE protocol and returns a token whose header says it is signed with RS256 when in reality it is signed with HS256. 我可以看到,此流程不遵循PKCE协议,而是返回一个令牌,该令牌的标头说它是用RS256签名的,而实际上是用HS256签名的。
I see where I can implement a PKCE authentication through RESTful calls(and using a webview...) but I would think it would be possible with the swift SDK provided. 我看到可以通过RESTful调用(和使用Webview ...)实现PKCE身份验证的地方,但我认为可以使用提供的swift SDK来实现。 Any hints or help would be greatly appreciated. 任何提示或帮助将不胜感激。
Using Auth0.Swift 1.2.2, Xcode 10 beta, ios 11, swift 4. 使用Auth0.Swift 1.2.2,Xcode 10 beta,iOS 11,Swift 4。
The webauth call: webauth调用:
Auth0
.webAuth()
.connection("MY-CONNECTION)
.audience("https://myapp.auth0.com/userinfo")
.start { result in
switch result {
case .success(let credentials):
print("credentials: \(credentials)")
case .failure(let error):
print(error)
}
}
The authentication() call: authentication()调用:
Auth0
.authentication()
.login(
usernameOrEmail: "me@mycompany.com",
password: "password",
realm: "MY-CONNECTION",
audience: "https://myapp.auth0.com/userinfo",
scope: "openid")
.start { result in
switch result {
case .success(let credentials):
print("Obtained credentials: \(credentials)")
case .failure(let error):
print("Failed with \(error)")
}
}
Thank you, 谢谢,
ben 本
1 个解决方案
解决方案1
-1 已采纳 2018-09-11 14:36:57
It has been pointed out to me that creating a custom Auth0 login basically goes against the security that Auth0 is trying to provide. 已经向我指出,创建自定义Auth0登录名基本上违反了Auth0试图提供的安全性。 It takes the handling of usernames and passwords out of Auth0's hands and puts them back into being handled by the creator of the app. 它将用户名和密码的处理权从Auth0手中移开,然后又由应用程序的创建者处理。
So, custom logins are not supposed to be part of the design. 因此,自定义登录不应视为设计的一部分。 And despite it's lack of customizability I will be implementing the .lock login flow to keep from having to use a web login in my app. 并且尽管缺乏可定制性,我仍将实现.lock登录流程,以免于不得不在我的应用程序中使用网络登录。
Just want to put this here in case someone else ends up in my situation. 只想把它放在这里,以防其他人遇到我的情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.