Authentication
The Sudo Platform allows users to sign in from client apps using various mechanisms. Once signed in, a user obtains authentication tokens (OpenID Connect ID and access tokens) that can be used to access other services within the platform.
OIDC Federated Sign In
In order to use federated sign in, you must have completed the federated sign in setup for your project by contacting [email protected].
If you are using an external identity provider that supports OpenID Connect (OIDC) standard then Sudo Platform access can be granted via federated sign in. When the user signs into your identity provider they will be federated and authenticated into Sudo Platform via OpenID Connect web flow. The user is not required to sign into your identity provider again until the refresh token expires. The refresh token lifetime can be configured by contacting [email protected].
The federated sign in requires the app to be configured with a URL scheme so that the authentication tokens from your identity provider can be passed into your app when the user performs federated sign in via a web view launched by the app. The URL scheme that you set up for your app must match one of the callback and logout URLs configured in the federated sign in configuration. To setup these URLs, contact [email protected].
Setting up a URL scheme for iOS app:
For example, add the following entry in Info.plist file of your app.
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLSchemes</key>
<array>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
</array>
</dict>
</array>
Setting up a URL scheme for Android app:
For example, add the following to your app manifest in the main activity section:
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="com.mycompany.myapp"/>
</intent-filter>
Signing in via federated sign in.
do {
let tokens = try await client.presentFederatedSignInUI(presentationAnchor: window)
// "tokens.idToken" can be used to initialize other service specific clients to authenticate to the backend API.
// ID token and access token will expire after number of seconds specified in "lifetime". The tokens will be
// refreshed automatically or can be manually refreshed by calling the "refreshTokens" API.
} catch {
// Handle error. An error may be thrown if the backend is unable to perform
// requested operation due to availability or security issues.
// An error might be also be thrown for unrecoverable circumstances arising
// from programmatic error or configuration error. For example, if the keychain
// access entitlement is not set up correctly or basic system resources are
// unavailable.
}
Custom Federated Sign In
In order to use custom federated sign in, you must have completed the custom federated sign in setup described in the Registration section.
In order to sign in using a custom authentication provider, you must invoke signInWithAuthenticationProvider
API of SudoUserClient
with your AuthenticationProvider
implementation as an input similar to how registerWithAuthenticationProvider
was invoked to register a new Sudo Platform user. For details of AuthenticationProvider
implementation, please refer to the Registration section and API Reference.
Sign In via Private Key
If a user was registered using Sign in Key Registration, they can use the private key from the public/private key pair generated at registration time to digitally sign an authentication token to sign-in.
To sign-in using private key based authentication:
do {
let tokens = try await client.signInWithKey()
// "tokens.idToken" can be used to initialize other service specific clients to authenticate to the backend API.
// ID token and access token will expire after number of seconds specified in "lifetime" so use "refreshToken"
// to refresh these tokens via "refreshTokens" API.
} catch {
// Handle error. An error may be thrown if the backend is unable to perform
// requested operation due to availability or security issues.
// An error might be also be thrown for unrecoverable circumstances arising
// from programmatic error or configuration error. For example, if the keychain
// access entitlement is not set up correctly or basic system resources are
// unavailable.
}
Refreshing ID and Access Tokens
Authentication tokens will expire after 1 hour so in order to avoid needing to sign in periodically you should refresh those tokens.
To refresh ID and access tokens:
do {
let tokens = try await client.refreshTokens(refreshToken: refreshToken)
// "tokens.idToken" can be used to initialize other service specific clients to authenticate to the backend API.
// ID token and access token will expire after number of seconds specified in "lifetime" so use "refreshToken"
// to refresh these tokens via "refreshTokens" API.
} catch {
// Handle error. An error may be thrown if the backend is unable to perform
// requested operation due to availability or security issues.
// An error might be also be thrown for unrecoverable circumstances arising
// from programmatic error or configuration error. For example, if the keychain
// access entitlement is not set up correctly or basic system resources are
// unavailable.
}
Sign Out
To sign out a user:
do {
try await client.globalSignOut()
} catch {
// Handle error. An error may be thrown if the backend is unable to perform
// requested operation due to availability or security issues.
// An error might be also be thrown for unrecoverable circumstances arising
// from programmatic error or configuration error. For example, if the keychain
// access entitlement is not set up correctly or basic system resources are
// unavailable.
}
To invalidate authentication tokens for a single device.
do {
try client.signOut()
} catch {
// Handle error. An error might be thrown for unrecoverable circumstances arising
// from programmatic error or configuration error. For example, if the keychain
// access entitlement is not set up correctly, the client is not signed in,
// or basic system resources are unavailable.
}
Sign out from hosted UI for OIDC federated sign in.
do {
try await client.presentFederatedSignOutUI(presentationAnchor: window)
} catch {
// Handle error. An error may be thrown if the backend is unable to perform
// requested operation due to availability or security issues.
// An error might be also be thrown for unrecoverable circumstances arising
// from programmatic error or configuration error. For example, if the keychain
// access entitlement is not set up correctly or basic system resources are
// unavailable.
}
Last updated