I have done quite a lot of tests on iOS, and at this point, I have come to the conclusion that both Keycloak and AppAuth supports SSO, but it's the iOS itself causing quite a lot of problem.
On iOS 11, AppAuth uses SFAuthenticationSession to perform user authentication. This is required by Apple and the idea is that each `SFAuthenticationSession` is like a sandboxed Safari and it only contains the cookies & website data that will be used by the target website. This is to prevent user data from being leaked.
After the user finished logging in using `SFAuthenticationSession`, the cookies & website data are supposed to sync back to the main Safari. Then later on these data can be used in other apps `SFAuthenticationSession` to support SSO.
However, based on my testing, it looks like for some reason, the cookies & website data are not always synced back to Safari. I have documented my findings here: https://github.com/openid/AppAuth-iOS/issues/186.
I tested using both Google and Keycloak and I am seeing similar behaviours on iOS 11 devices.
At this point, I think there is no further work we should do code-wise. Instead, we should update the SSO document for ios to add a few notes:
1. Developers will need to enabled "Remember Me" options in keycloak to allow SSO for iOS.
2. Be careful about logout sessions. This will not remove the cookies from the `SFAuthenticationSession` and that means users will have to relogin again to invalidate the existing cookies.
2. SSO doesn't always work on iOS 11 devices. But it is a problem with iOS 11 itself. |
|
