3:20 a.m.
Hi,
iOS platform provides built-in implementations for authenticating against HTTP endpoints
that support Basic / Digest authentication (among others). The workflow when iOS tries to
authenticate against those endpoints is basically:
a) A credential storage singleton object provided by the system is consulted for
authentication credentials. If credentials are found, the system proceeds with
authentication. Understandably for this to work, the developer has to initially push the
credentials to the system object (and remove when done).
b) If credentials are NOT found, the system tries to call the delegate method e.g.
'connection:didReceiveAuthenticationChallenge', giving a chance for the user to
provide the credentials, by calling the appropriate methods on the authentication
challenge object passed in.
AeroGear library, currently has a notion of pluggable authentication modules providing an
interface for clients to implement 'login', and 'logout' methods,
depending on the authentication scenarios that they try to support. This fits nicely with
singleton credential storage approach, in the sense when doing 'login' and
'logout', we simply edit the credential storage adding or removing credentials
appropriately. A branch for this work can be found here. For usage, have a look at our
integration test
For testing purposes, another branch was created, this time letting the user to directly
pass an NSURLCredential object initialised with the username/password combination during
the Pipe configuration. Those credentials are internally stored and given back to the
system by implementing the necessary callback . A usage example can be found in our
integration test
advantages of using the singleton approach:
- fits nicely with the authentication mechanism we have in place (as an extension
HTTPBasicDigestAuthenticationModule) so user familiarity when looking to add basic/digest
support to the Pipe.
- we control the credential type e.g. 'NSURLCredentialPersistenceForSession'. This
eliminates errors of using 'NSURLCredentialPersistencePermanent' and having the
user to explicitly clear the keychain when trying to login with a different combination.
For my search, many errors occurs because of this.
disadvantages of using the singleton approach:
- not sure if many iOS dev will like the fact of creating an Authenticator object instead
of using directly an NSURLCredential object that are used to.
---
advantages of using the 'nsurlcredential' directly:
- users familiarity with the object.
- not explicit login logout request.
disadvantages of using the 'nsurlcredential' directly:
- error credential type can lead to errors.
With discussions with Matthias, we are more keen in following the
HTTPBasicDigestAuthenticationModule approach instead of providing the NSURLCredential
configuration option on the Pipe. Surely enough, in the documentation we will explicitly
state that "login"/ "logout" methods, serve as a mean to setup
internally the iOS authentication system so users don't have too (instead of calling
remote endpoints)
Wdyt?
Thanks,
Christos