Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Add Remember Device support #145

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

WIP: Add Remember Device support #145

wants to merge 2 commits into from

Conversation

oleggnidets-okta
Copy link
Contributor

@oleggnidets-okta oleggnidets-okta commented Mar 25, 2021
edited
Loading

Important: The Backend takes into account only deviceToken. If it exists then the backend perceives rememberDevice as true all the time. In other words, rememberDevice=false is being ignored on backend side.

Problem Analysis (Technical)

The library does not expose rememberDevice and deviceToken parameters.
The feature was requested by the reporter in oidc-ios repo.

Solution (Technical)

Make rememberDevice and deviceToken available for developers.

Tests

Added parameters in tests.
I didn't add the integration tests which assure that MFA is not asked one more time and device is remembered. Because it involves additional Policy rules. Also, I don't know which org is used because global variables are hidden in Travis settings.

If you see it's something required I can work on that more.

@oleggnidets-okta oleggnidets-okta self-assigned this Mar 25, 2021
@oleggnidets-okta
Copy link
Contributor Author

oleggnidets-okta commented Mar 25, 2021
edited
Loading

@IldarAbdullin-okta I've just looked at #120. You said that deviceToken is omitted on purpose 😯
As I can see at Device Token Best Practices - native apps can generate own unique device ID.
So I think it can be up to customers (developers) using of this parameter. What do you think?

https://developer.okta.com/docs/reference/api/authn/#device-token-best-practices

BTW, fingerprint is not considering safe according to documentation.

@IldarAbdullin-okta
Copy link
Contributor

@IldarAbdullin-okta I've just looked at #120. You said that deviceToken is omitted on purpose 😯
As I can see at Device Token Best Practices - native apps can generate own unique device ID.
So I think it can be up to customers (developers) using of this parameter. What do you think?

https://developer.okta.com/docs/reference/api/authn/#device-token-best-practices

BTW, fingerprint is not considering safe according to documentation.

There are many contradictions in the documentation. My concern is based on the following statement:

Specifying your own deviceToken is a highly privileged operation limited to trusted web applications and requires making authentication requests with a valid API token. If an API token is not provided, the deviceToken will be ignored.

Auth SDK doesn't use SSWS API token, so is considered as untrusted client and therefore can't use deviceToken. On the other hand developers saying that server accepts deviceToken and they can use deviceToken in authentication requests. So it is either documentation or server code bug. So, if it is indeed server side bug then implementing this in the sdk is a certain risk.

cc: @robertdamphousse-okta

@oleggnidets-okta oleggnidets-okta linked an issue Apr 7, 2021 that may be closed by this pull request
Add "deviceToken" parameter to authenticate() function - need it by 9/23/2019 #105
Open
@oleggnidets-okta oleggnidets-okta linked an issue Jun 24, 2021 that may be closed by this pull request
Cannot enroll phone other than the verified phone when using SMS MFA #113
Open
@oleggnidets-okta oleggnidets-okta removed a link to an issue Jun 24, 2021
Cannot enroll phone other than the verified phone when using SMS MFA #113
Open
mikenachbaur-okta
mikenachbaur-okta approved these changes Jul 19, 2021
View reviewed changes
Copy link
Collaborator

@mikenachbaur-okta mikenachbaur-okta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but can you add some documentation somewhere to capture this? Thanks

Source/Factors/OktaFactor.swift
@@ -150,6 +150,7 @@ open class OktaFactor {

public func verify(passCode: String?,
answerToSecurityQuestion: String?,
rememberDevice: Bool? = nil,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for assigning a default; it's nice that this won't result in a breaking API change.

@oleggnidets-okta oleggnidets-okta changed the title Add Remember Device support WIP: Add Remember Device support Nov 9, 2021
@kyle-beard-wex
Copy link

@oleggnidets-okta What is the status of this pull request? Are we planning on still allowing rememberDevice for iOS SDK? Our team is looking to have this functionality (as others I've seen in various threads) to prevent users from experiencing the MFA factor required every time they try to login.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikenachbaur-okta mikenachbaur-okta mikenachbaur-okta approved these changes

@IldarAbdullin-okta IldarAbdullin-okta Awaiting requested review from IldarAbdullin-okta

Assignees

@oleggnidets-okta oleggnidets-okta

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add "deviceToken" parameter to authenticate() function - need it by 9/23/2019
4 participants
@oleggnidets-okta @IldarAbdullin-okta @kyle-beard-wex @mikenachbaur-okta