Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Allow prefersEphemeralWebBrowserSession in iOS (disable "true" SSO) #42

Open
thorsten-wolf-neptune opened this issue Sep 5, 2024 · 1 comment
Open

Feature Request: Allow prefersEphemeralWebBrowserSession in iOS (disable "true" SSO) #42

thorsten-wolf-neptune opened this issue Sep 5, 2024 · 1 comment

Comments

@thorsten-wolf-neptune
Copy link

Hi all,

first of all. Thanks for this amazing plugin! We really love using it :-)

One feature request we have and think is pretty easy to implement is to allow configuring "true" SSO or "forced reauthentication" for oauth login session.
Currently on iOS (if ASWebAuthenticationSession is used) the window.open request will bring a native prompt asking the user that the app wants to login to the target idp provider.
So the safari browser that will show up after the user confirms this dialog might reuse existing session cookies and other data from safari. So th user might have a "true" SSO experience as an already existing login might automatically take place.

However there is usecases where you might want the user to be forced to reauthenticate.
IOS thought of this by having a property called prefersEphemeralWebBrowserSession
(see https://developer.apple.com/documentation/authenticationservices/authenticating-a-user-through-a-web-service#Optionally-Request-Ephemeral-Browsing and https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/prefersephemeralwebbrowsersession )

The implementation would be very simple as it just would require to set that property to true before calling start().
Actually there is a fork that is doing exactely that:
https://github.com/TrustlyInc/cordova-plugin-oauth/blob/5a4a91906818d7a8278b383f3da5b0d435c2d2c1/src/ios/OAuthPlugin.swift#L52

So it would be really awesome to have a parameter that allows configuring wheather a "true" SSO experience should be initiated or a forced reauthentication should be required regardless if the user is already signed in with the native browser.

As the window.open function has an optional third parameter for "features" that currently doesn't seem to be used it would be great to allow passing a JSON that could contain a property that would lead to setting prefersEphemeralWebBrowserSession to true.

What do you think?

Cheers
Thorsten
@dpogue
Copy link
Member

dpogue commented Jan 14, 2025

I think this makes sense to add, although it doesn't appear that Android has any equivalent, and it would probably only work on a subset of iOS versions (although Cordova itself doesn't really support anything older than iOS 13 going forward).

Using the window features parameter makes sense (and I'm considering also supporting a oauth=true option there instead of prefixing the window name, for better web compatibility).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dpogue @thorsten-wolf-neptune