You can use OAuth 2 to authenticate using Login Screenlet with the following OAuth 2 grant types:
-
Authorization Code (PKCE for native apps): Redirects users to a page in their mobile browser where they enter their credentials. Following login, the browser redirects users back to the mobile app. User credentials can’t be compromised via the app because it never accesses them—it uses a token that can be revoked. This is also useful if users don’t want to enter their credentials in the app. For example, users may not want to enter their Twitter credentials directly in a 3rd-party Twitter app, preferring instead to authenticate via Twitter’s official site. Note that the site you redirect to for authentication must have OAuth 2 implemented.
-
Resource Owner Password: Users authenticate by entering their credentials directly in the app.
-
Client Credentials: Authenticates without requiring user interaction. This is useful when the app needs to access its own resources, not those of a specific user.
This tutorial shows you how to use these grant types with Login Screenlet. Note that before getting started, you may want to see Liferay DXP’s OAuth 2.0 documentation for instructions on registering an OAuth 2.0 application in the portal.
Authorization Code (PKCE)
Follow these steps to use the Authorization Code grant type with Login Screenlet:
-
Configure the URL where the mobile browser redirects after the user authenticates. To do this, follow the first two steps in the Mobile SDK’s Authorization Code instructions. Note that you must configure this URL in both the portal and your iOS app.
-
Set Login Screenlet’s
loginMode
attribute tooauth2Redirect
. There are two ways to do this:-
In code, as the Login Screenlet instance’s
authType
orloginMode
property:loginScreenlet.authType = .oauth2Redirect // or loginScreenlet.loginMode = "oauth2redirect"
Note that
oauth2redirect
must be a string when set tologinMode
. -
In Interface Builder, as the value of the Login Mode attribute. Do this the same way you set other Screenlet attributes (via the Attributes inspector, with the Screenlet selected in the storyboard). Be sure to enter
oauth2redirect
with no period preceding it.
-
-
Set Login Screenlet’s
oauth2clientId
attribute to the ID of the portal’s OAuth 2 application that you want to use. To find this value, navigate to that application in the portal’s OAuth 2 Admin portlet. -
Set Login Screenlet’s
oauth2redirectUrl
attribute to the URL you configured in step 1. -
In your
AppDelegate
’sapplication(_:open:options:)
method, call theSessionContext
methodoauth2ResumeAuthorization
with the URL. This notifies Liferay Screens when the redirect has been performed. For more information on theapplication(_:open:options:)
method, see the section Handle Incoming URLs in Apple’s documentation on using custom URLs:func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool { return SessionContext.oauth2ResumeAuthorization(url: url) }
Note that you can cancel the authorization at any time by calling
SessionContext.oauth2Cancel()
.
Resource Owner Password
Follow these steps to use the Resource Owner Password grant type with Login Screenlet:
-
Set Login Screenlet’s
loginMode
attribute tooauth2UsernameAndPassword
. There are two ways to do this:-
In code, as the Login Screenlet instance’s
authType
orloginMode
property:loginScreenlet.authType = .oauth2UsernameAndPassword // or loginScreenlet.loginMode = "oauth2UsernameAndPassword"
Note that
oauth2UsernameAndPassword
must be a string when settingloginMode
. -
In Interface Builder, as the value of the Login Mode attribute. Do this the same way you set other Screenlet attributes (via the Attributes inspector, with the Screenlet selected in the storyboard). Be sure to enter
oauth2UsernameAndPassword
with no period preceding it.
-
-
Set Login Screenlet’s
oauth2clientId
attribute to the ID of the OAuth 2 application that you want to use. To find this value, navigate to that application in the OAuth 2 Admin portlet. -
Set Login Screenlet’s
oauth2clientSecret
attribute to the same OAuth 2 application’s client secret.
Client Credentials
The OAuth 2 Client Credentials grant type authenticates without requiring user interaction. This is useful when the app needs to access its own resources, not those of a specific user.
Follow these steps to use the Client Credentials grant type in your Screens app:
-
Follow the iOS Mobile SDK instructions for using the Client Credentials grant type.
-
The session object’s
authentication
property contains a valid authentication object. Cast it toLROAuth2Authentication
then pass it to theauthentication
argument of theSessionContext
methodloginWithOAuth2
:let auth = session.authentication as! LROAuth2Authentication SessionContext.loginWithOAuth2(authentication: auth, userAttributes: [:])
This initializes the Screens
SessionContext
object, authenticating any Screenlets that you use in the iOS app.