Using OAuth 2 in Liferay Screens for iOS

You can use OAuth 2 to authenticate using Login Screenlet with the following OAuth 2 grant types:

  • Authorization Code (PKCE for native apps): Redirects users to a page in their mobile browser where they enter their credentials. Following login, the browser redirects users back to the mobile app. User credentials can’t be compromised via the app because it never accesses them—it uses a token that can be revoked. This is also useful if users don’t want to enter their credentials in the app. For example, users may not want to enter their Twitter credentials directly in a 3rd-party Twitter app, preferring instead to authenticate via Twitter’s official site. Note that the site you redirect to for authentication must have OAuth 2 implemented.

  • Resource Owner Password: Users authenticate by entering their credentials directly in the app.

  • Client Credentials: Authenticates without requiring user interaction. This is useful when the app needs to access its own resources, not those of a specific user.

This tutorial shows you how to use these grant types with Login Screenlet. Note that before getting started, you may want to see Liferay DXP’s OAuth 2.0 documentation for instructions on registering an OAuth 2.0 application in the portal.

Authorization Code (PKCE)

Follow these steps to use the Authorization Code grant type with Login Screenlet:

  1. Configure the URL where the mobile browser redirects after the user authenticates. To do this, follow the first two steps in the Mobile SDK’s Authorization Code instructions. Note that you must configure this URL in both the portal and your iOS app.

  2. Set Login Screenlet’s loginMode attribute to oauth2Redirect. There are two ways to do this:

    • In code, as the Login Screenlet instance’s authType or loginMode property:

      loginScreenlet.authType = .oauth2Redirect
      // or
      loginScreenlet.loginMode = "oauth2redirect"
      

      Note that oauth2redirect must be a string when set to loginMode.

    • In Interface Builder, as the value of the Login Mode attribute. Do this the same way you set other Screenlet attributes (via the Attributes inspector, with the Screenlet selected in the storyboard). Be sure to enter oauth2redirect with no period preceding it.

  3. Set Login Screenlet’s oauth2clientId attribute to the ID of the portal’s OAuth 2 application that you want to use. To find this value, navigate to that application in the portal’s OAuth 2 Admin portlet.

  4. Set Login Screenlet’s oauth2redirectUrl attribute to the URL you configured in step 1.

  5. In your AppDelegate’s application(_:open:options:) method, call the SessionContext method oauth2ResumeAuthorization with the URL. This notifies Liferay Screens when the redirect has been performed. For more information on the application(_:open:options:) method, see the section Handle Incoming URLs in Apple’s documentation on using custom URLs:

    func application(_ app: UIApplication, open url: URL, 
        options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool {
            return SessionContext.oauth2ResumeAuthorization(url: url)
    }
    

Note that you can cancel the authorization at any time by calling SessionContext.oauth2Cancel().

Resource Owner Password

Follow these steps to use the Resource Owner Password grant type with Login Screenlet:

  1. Set Login Screenlet’s loginMode attribute to oauth2UsernameAndPassword. There are two ways to do this:

    • In code, as the Login Screenlet instance’s authType or loginMode property:

      loginScreenlet.authType = .oauth2UsernameAndPassword
      // or
      loginScreenlet.loginMode = "oauth2UsernameAndPassword"
      

      Note that oauth2UsernameAndPassword must be a string when setting loginMode.

    • In Interface Builder, as the value of the Login Mode attribute. Do this the same way you set other Screenlet attributes (via the Attributes inspector, with the Screenlet selected in the storyboard). Be sure to enter oauth2UsernameAndPassword with no period preceding it.

  2. Set Login Screenlet’s oauth2clientId attribute to the ID of the OAuth 2 application that you want to use. To find this value, navigate to that application in the OAuth 2 Admin portlet.

  3. Set Login Screenlet’s oauth2clientSecret attribute to the same OAuth 2 application’s client secret.

Client Credentials

The OAuth 2 Client Credentials grant type authenticates without requiring user interaction. This is useful when the app needs to access its own resources, not those of a specific user.

Follow these steps to use the Client Credentials grant type in your Screens app:

  1. Follow the iOS Mobile SDK instructions for using the Client Credentials grant type.

  2. The session object’s authentication property contains a valid authentication object. Cast it to LROAuth2Authentication then pass it to the authentication argument of the SessionContext method loginWithOAuth2:

    let auth = session.authentication as! LROAuth2Authentication
    
    SessionContext.loginWithOAuth2(authentication: auth, userAttributes: [:])
    

    This initializes the Screens SessionContext object, authenticating any Screenlets that you use in the iOS app.

Using OAuth 2 in the iOS Mobile SDK

Using Screenlets in iOS Apps

OAuth 2.0

« Using Web Screenlet with Cordova in Your iOS AppiOS Best Practices »
Was this article helpful?
0 out of 0 found this helpful