Networking with URLSession - Part 8: Authentication | Ray Wenderlich

Learn how to handle authentication and cookies.

This is a companion discussion topic for the original entry at

Hi Audrey,
i have a question about authentication and I would be grateful if you can give me your insight.

I develop an app that uses authentication with access and refresh tokens. I know that access tokens are valid typically for 1 hour and refresh tokens for 20-30 days and for only one use. Consider a scenario in which a view controller can use a few URLRequests concurrently which all of them require authorization using the token and return deferent type of data. In this scenario, if the access token expires, all of the URLRequests will fail. If I use your mechanism from the finished challenge of the part 8 of the course, then all URLRequests will call respectively the refreshToken function using the existing refresh token. This will result in an error, because only one of the URLRequests that will try to refresh the token will success. The rest of them will fail because they will try to refresh the token with a refresh token that was already used.

Do you know how i can handle this situation? I’m stuck for almost a week now and i became a subscriber in order to find out if you’re handling this situation in your video tutorials.


hi Spyros: no, I don’t handle this case, but it sounds similar to the thread safety problem in my other video course.

You could use a combination of sync access to the access and refresh tokens (like the name property in ThreadSafePerson), and make a dispatch barrier task for using the refresh token. The timing might still be a little tricky to get right, and you might have to set and check a flag like accessTokenRefreshed.

Hi Audrey!
The authentication topic is the most important for me in networking, but I can’t do challenge because of the registration on issue. I get 503 status code - Service Unavailable - in a registration response. Could you help me? Thanks in advance.

hi! unfortunately, it seems Stormpath has changed something on its server. I’ll take a closer look, to see what they’ve changed, or whether they’ve actually removed the web app :slightly_frowning_face:

Update: @antonkrylov Stormpath joined Okta recently, and shut down the Stormpath API on Aug 17. I’ll find another server, or build my own. Stay tuned!

Please update the example with some other api. Thanks

The whole course has been updated to Swift 4 / Xcode 9. This should appear soon.

In this update, I’ve replaced Stormpath Notes with my own web app, and playgrounds that use basic authentication to get a token, then use the token to post a new item to the web app.


Hi, Audrey!
Is it possible to add chapter in updated networking course about implementing OAuth 2.0 using popular social networks like Facebook / Twitter / LinkedIn WITHOUT their pods? Just with URLSession? Or is it a topic for separate course?

yes, that would be possible, but I think the next update of this course might split it into two courses — it’s already pretty long, and some of the videos are too long, too. is being updated to Swift 4 etc. The original tutorial uses 3 different OAuth 2 frameworks, all of which just wrap the URLSession code, then just post to a specific Google Drive endpoint.

1 Like