OAuth on mobile apps

Vapor has a chapter of taking the implementation of OAuth and using it with the web app, but it doesn’t tie in quite as nicely to the iOS app. I’m wondering how to user the setup we’ve built with Vapor to login in the iOS app.

OAuth on mobile gets more complicated because of the trouble with redirects. Essentially it’s the same process however, just when Google or whoever redirects back with the token they need to redirect back to your app. So you can open an SFViewController to go to Google so the user can give permission and then you either set the redirect URL to your app using a custom URL scheme or use deep linking to intercept the redirect in your app

ah ok, so would it be easier to just use a library like OAuth2 or OAuthSwift?

Close but not quite. You want to initiate the OAuth flow from the device but the tokens actually need to go to the server to be saved and then provide a token from your Vapor app to the iOS client. Make sense?

(There’s also more logic that can be built in such as what to do if your access token has expired etc and you need to make a request to the Google endpoints etc)

Oh, I see. Are there any guides for implementing that sort of logic?

Unfortunately not at the moment. But you could use OAuthSwift and post the token back to the server in your iOS app as a first step?

Hi i have a question with here,
Are we have to send a token to our backend server when we use Google Sign-In?
My user now can login my app without not sending any token to my backend and is it banned or is it dangerous?
Another question is my team leader said that we have to add an Apple Sign In when we use login stuffs is it correct? and so if it is correct how can we add Apple Sign In to our Vapor Backends.

You need to send something verifiable to your backend when using any kind of social login. Otherwise I could just pretend to your backend that I’m logged in. You must always verify stuff on the backend and never trust what the client is sending to you.

So when you login with your app and then start creating things, how does the backend know who you are? Sign in With Apple is required if you allow other 3rd party logins. You send the JWT provided from iOS when you sign in with apple to your Vapor backend, and can verify it using https://github.com/vapor/jwt/blob/master/Sources/JWT/JWT%2BApple.swift

I see,
Our Vapor TIL app has a Google Sign-In-Login and creates these stuffs(uses token), and am i create a new Router in my Backend for iOS Google Sign-In-Login or am i use this Router in my iOS App?
Is there any example of Adding Google Sign-In in iOS App written by VAPOR?

And another question is
Google gives this informations after user Google Sign-In

let userId = user.userID                  // For client-side use only!
let idToken = user.authentication.idToken // Safe to send to the server
let fullName = user.profile.name
let givenName = user.profile.givenName
let familyName = user.profile.familyName
let userEmail = user.profile.email

If i add a new variable like
let userPassword: String = "PASSWORD"
and use it in CreateUser() method

let user = CreateUser(name: userFullName, username: userEmail, password: userPassword, email: userEmail)

if these succeed and then we Call Auth.login() method
and use these informations in Auth().login(username: username, password: userPassword
Actually we use TOKEN stuff here :slight_smile:
if these succeed
Then login to App

Can i do these stuff? :slight_smile:

For Google login from an iOS what I have done in the past is to get the iOS app to launch an ASWebAuthenticationSession which hits the OAuth route, as if going from the website. Then when it redirects back to the server, you can create the user as described in the book, then instead of redirecting to the dashboard, redirect to something like myapp://login?token=ABC to pass your own token to the iOS app for use in the future