SFSafariViewController Remove OAuth2 Cookie

ios oauth ios9 uber-api
duncanc4 picture duncanc4 · Sep 22, 2015 · Viewed 8.3k times · Source

I have an iOS application that authenticates with Uber API using OAuth2 in a UIWebView. When upgrading to iOS 9, I run in to the issue of ATS blocking the https request for the login page. I then added an exception for the Uber login page, but then noticed the login page makes several other requests to Facebook, Amazon Web Services, and other websites, all getting blocked by ATS.

I don't want to have to maintain a list of exceptions for the the Uber login page, as Uber can easily change their page and my app won't have the correct exceptions. So I decided to give SFSafariViewController a shot.

I am able to complete OAuth2 process with the SFSafariViewController, the problem is there is some type of cookie being stored from Uber when the authentication completes. If I want to authenticate a different account and I bring up the SFSafariViewController again, the cookie is picked up from the previous authentication, and there is no chance to authenticate a different account. I got around this with the UIWebView by deleting the cookie through NSHTTPCookieStorage, but I don't see a way to delete the cookie from SFSafariViewController.

Answer

Alex Bitek picture Alex Bitek · Feb 29, 2016

For iOS 9 and onwards the best choice is to use the WKWebView class available in the WebKit Framework

which provides a WKWebsiteDataStore that can be used to delete cookies/caches used by the webview, see for example: https://stackoverflow.com/a/31803708/313113 or https://stackoverflow.com/a/32491271/313113

According to the docs: SFSafariViewController shares cookies and other website data with Safari and because it runs outside your app's process (for security reasons) you cannot modify it's state from inside your app. See this answer: https://stackoverflow.com/a/34136074/313113 from someone who contacted Apple customer support and got the following reply:

SFSafariViewController runs outside of my App's process and in order to be secure my App can not modify SFSafariViewController's state. In other words, my App can not clear credentials stored by SFSafariViewController.

Related questions

Sign in with Apple (iOS App + Backend verification) API returns error "invalid_client"

I'm trying to implement Sign In with Apple with an iOS app and a backend. The goal is this: The User signs in on the iOS app After a positive response the app calls an endpoint on the backend and …

Read More
SFAuthenticationSession/ASWebAuthenticationSession and logging out

I'm planning to switch an app from the old OAuth flow with the SFSafariViewController to the new flow with iOS 11's SFAuthenticationSession. Logging in isn't an issue, the transfer to the new API took me a few minutes to implement. …

Read More
How can I develop for iPhone using a Windows development machine?

Is there any way to tinker with the iPhone SDK on a Windows machine? Are there plans for an iPhone SDK version for Windows? The only other way I can think of doing this is to run a Mac VM …

Read More