CYM-Identity tries to follow oAuth and OpenID Connect specifications and therefore is unopinionated when it comes to libraries.
In order to get you started with your iOS app, we recommend that you use
AppAuth-iOSIf you haven't done it yet, you need to create an Application following the
documentationWe strongly recommend that you only use the authorization_code
grant.
By design, an iOS app will consume APIs hosted by a Resource Server.
Follow the instructions in the
documentation to create your Resource Server and Protected Resources.
We believe that the documentation provided by the
AppAuth-iOS team is quite clear on setting up your environment. Once you have completed the initial setup you can continue the following sections.
We recommend that you use the OpenID discovery service instead of a hard coded configuration
Objective C
1NSURL *issuer = [NSURL URLWithString:@"https://${realm.url}/oauth/${realm.name}"];
2
3[OIDAuthorizationService discoverServiceConfigurationForIssuer:issuer
4 completion:^(OIDServiceConfiguration *_Nullable configuration,
5 NSError *_Nullable error) {
6
7 if (!configuration) {
8 NSLog(@"Error retrieving discovery document: %@",
9 [error localizedDescription]);
10 return;
11 }
12
13
14}];
Swift
1let issuer = URL(string: "https://${realm.url}/oauth/${realm.name}")!
2
3OIDAuthorizationService.discoverConfiguration(forIssuer: issuer) { configuration, error in
4 guard let config = configuration else {
5 print("Error retrieving discovery document: \(error?.localizedDescription ?? "Unknown error")")
6 return
7 }
8
9
10}
Now that everything is set up, you can start authenticating your users.
When your users are ready to authenticate, you can trigger an authentication request.
Each logged in user (employee, customer, partner, ...) needs to hold a CYM-Identity License. Add it as part of mass assignment or through your registration flow.
Once again, you can follow the documentation from
AppAuth-iOSDuring the authorization_code exchange, you can specify the audience
or the resource
your application need to access
Objective C
1
2OIDAuthorizationRequest *request =
3 [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
4 clientId:kClientID
5 scopes:@[OIDScopeOpenID, OIDScopeProfile, @"pictures"]
6 redirectURL:kRedirectURI
7 responseType:OIDResponseTypeCode
8 additionalParameters:nil];
9
10
11AppDelegate *appDelegate =
12 (AppDelegate *)[UIApplication sharedApplication].delegate;
13appDelegate.currentAuthorizationFlow =
14 [OIDAuthState authStateByPresentingAuthorizationRequest:request
15 presentingViewController:self
16 callback:^(OIDAuthState *_Nullable authState,
17 NSError *_Nullable error) {
18 if (authState) {
19 NSLog(@"Got authorization tokens. Access token: %@",
20 authState.lastTokenResponse.accessToken);
21 [self setAuthState:authState];
22 } else {
23 NSLog(@"Authorization error: %@", [error localizedDescription]);
24 [self setAuthState:nil];
25 }
26}];
Swift
1
2let request = OIDAuthorizationRequest(configuration: configuration,
3 clientId: clientID,
4 clientSecret: clientSecret,
5 scopes: [OIDScopeOpenID, OIDScopeProfile, "pictures"],
6 redirectURL: redirectURI,
7 responseType: OIDResponseTypeCode,
8 additionalParameters: nil)
9
10
11print("Initiating authorization request with scope: \(request.scope ?? "nil")")
12
13let appDelegate = UIApplication.shared.delegate as! AppDelegate
14
15appDelegate.currentAuthorizationFlow =
16 OIDAuthState.authState(byPresenting: request, presenting: self) { authState, error in
17 if let authState = authState {
18 self.setAuthState(authState)
19 print("Got authorization tokens. Access token: " +
20 "\(authState.lastTokenResponse?.accessToken ?? "nil")")
21 } else {
22 print("Authorization error: \(error?.localizedDescription ?? "Unknown error")")
23 self.setAuthState(nil)
24 }
25}
The access_tokens generated initially have a short lifetime, and you'll need new ones to keep accessing APIs on behalf of the user. Once an access_token
has expired, you'll get a 401
response from an API.
Objective C
1NSMutableDictionary<NSString *, NSString *> *additionalParameters = [[NSMutableDictionary alloc] init];
2[additionalParameters setValue:@"RESOURCE_SERVER_CLIENT_ID" forKey:@"audience"];
3OIDTokenRequest *tokenExchangeRequest = [_authState.lastAuthorizationResponse tokenExchangeRequestWithAdditionalParameters:additionalParameters];
4[OIDAuthorizationService performTokenRequest:tokenExchangeRequest
5 callback:^(OIDTokenResponse *_Nullable tokenResponse,
6 NSError *_Nullable error) {
7
8 if (!tokenResponse) {
9 [self logMessage:@"Token exchange error: %@", [error localizedDescription]];
10 } else {
11 [self logMessage:@"Received token response with accessToken: %@", tokenResponse.accessToken];
12 }
13
14 [_authState updateWithTokenResponse:tokenResponse error:error];
15}];
When you made the previous request, you chose a specific ResourceServer to which you needed access. If you need an access_token scoped to a different Resource Or ResourceServer, you can request for it
1NSMutableDictionary<NSString *, NSString *> *additionalParameters = [[NSMutableDictionary alloc] init];
2[additionalParameters setValue:@"DIFFERENT_RESOURCE_SERVER_CLIENT_ID" forKey:@"audience"];
3OIDTokenRequest *tokenExchangeRequest = [_authState tokenRefreshRequestWithAdditionalParameters:additionalParameters];
4[OIDAuthorizationService performTokenRequest:tokenExchangeRequest
5 callback:^(OIDTokenResponse *_Nullable tokenResponse,
6 NSError *_Nullable error) {
7
8 if (!tokenResponse) {
9 [self logMessage:@"Token exchange error: %@", [error localizedDescription]];
10 } else {
11 [self logMessage:@"Received token response with accessToken: %@", tokenResponse.accessToken];
12 }
13
14 [_authState updateWithTokenResponse:tokenResponse error:error];
15}];
1NSMutableDictionary<NSString *, NSString *> *additionalParameters = [[NSMutableDictionary alloc] init];
2[additionalParameters setValue:@"https://resource.url" forKey:@"resource"];
3OIDTokenRequest *tokenExchangeRequest = [_authState tokenRefreshRequestWithAdditionalParameters:additionalParameters];
4[OIDAuthorizationService performTokenRequest:tokenExchangeRequest
5 callback:^(OIDTokenResponse *_Nullable tokenResponse,
6 NSError *_Nullable error) {
7
8 if (!tokenResponse) {
9 [self logMessage:@"Token exchange error: %@", [error localizedDescription]];
10 } else {
11 [self logMessage:@"Received token response with accessToken: %@", tokenResponse.accessToken];
12 }
13
14 [_authState updateWithTokenResponse:tokenResponse error:error];
15}];