Auth0 is an authentication broker that supports social identity providers as well as enterprise identity providers such as Active Directory, LDAP, Google Apps and Salesforce.
Lock makes it easy to integrate SSO in your app. You won't have to worry about:
- Having a professional looking login dialog that displays well on any device.
- Finding the right icons for popular social providers.
- Solving the home realm discovery challenge with enterprise users (i.e.: asking the enterprise user the email, and redirecting to the right enterprise identity provider).
- Implementing a standard sign in protocol (OpenID Connect / OAuth2 Login)
Need help migrating from v1? Please check our Migration Guide
- iOS 9 or later
- Xcode 8.3 / 9.0
- Swift 3.1+
Add the following line to your Podfile:
pod "Lock", "~> 2.4"In your Cartfile add
github "auth0/Lock.swift" ~> 2.4First import Lock
import LockNext in your AppDelegate.swift add the following:
func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any]) -> Bool {
return Lock.resumeAuth(url, options: options)
}In order to use Lock you need to provide your Auth0 Client Id and Domain.
Auth0 ClientId & Domain can be found in your Auth0 Dashboard
In your application bundle you can add a plist file named Auth0.plist with the following format
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientId</key>
<string>{YOUR_CLIENT_ID}</string>
<key>Domain</key>
<string>{YOUR_DOMAIN}</string>
</dict>
</plist>Lock Classic handles authentication using Database, Social & Enterprise connections.
It is strongly encouraged that this SDK be used in OIDC Conformant mode. When this mode is enabled, it will force the SDK to use Auth0's current authentication pipeline and will prevent it from reaching legacy endpoints. By default this is false
.withOptions {
$0.oidcConformant = true
}For more information, please see the OIDC adoption guide.
To show Lock, add the following snippet in your UIViewController
Lock
.classic()
.withOptions {
$0.closable = false
$0.oidcConformant = true
}
.withStyle {
$0.title = "Welcome to my App!"
}
.onAuth {
print("Obtained credentials \($0)")
}
.onError {
print("Failed with \($0)")
}
.onCancel {
print("User cancelled")
}
.present(from: self)Lock will automatically load your client configuration automatically, if you wish to override this behaviour you can manually specify which of your connections to use.
Before presenting Lock you can tell it what connections it should display and use to authenticate an user. You can do that by calling the method and supply a closure that can specify the connections.
.withConnections {
$0.database(name: "Username-Password-Authentication", requiresUsername: true)
}.withConnections { connections in
connections.social(name: "facebook", style: .Facebook)
connections.social(name: "google-oauth2", style: .Google)
}.withConnections { connections in
connections.enterprise(name: "customAD", domains: ["domain1.com", "domain2.com"])
connections.enterprise(name: "alternativeAD", domains: ["domain3.com"], style: .Microsoft)
}You can easily turn on/off logging capabilities.
Lock
.classic()
.withOptions {
$0.logLevel = .all
$0.logHttpRequest = true
}Lock provides many styling options to help you apply your own brand identity to Lock.
.withStyle {
$0.title = "Company LLC"
$0.logo = LazyImage(name: "company_logo")
$0.primaryColor = UIColor(red: 0.6784, green: 0.5412, blue: 0.7333, alpha: 1.0)
}You can explore the full range of styling options in Style.swift
.withStyle {
$0.oauth2["slack"] = AuthStyle(
name: "Slack",
color: UIColor(red: 0.4118, green: 0.8078, blue: 0.6588, alpha: 1.0),
withImage: LazyImage(name: "ic_slack")
)
}Lock Passwordless handles authentication using Passwordless & Social Connections.
The Passwordless feature requires your client to have the Resource Owner Legacy Grant Type enabled. Check this article for more information.
To show Lock, add the following snippet in your UIViewController
Lock
.passwordless()
.withOptions {
$0.closable = false
}
.withStyle {
$0.title = "Welcome to my App!"
}
.onAuth {
print("Obtained credentials \($0)")
}
.onError {
print("Failed with \($0)")
}
.onCancel {
print("User cancelled")
}
.onPasswordless {
print("Passwordless requested for \($0)")
}
.present(from: self)Notes:
- Passwordless can only be used with a single connection and will prioritize the use of email connections over sms.
- The
audienceoption is not available in Passwordless.
When using Lock passwordless the default passwordlessMethod is .code which sends the user a one time passcode to login. If you want to use Universal Links you can add the following:
.withOptions {
$0.passwordlessMethod = .magicLink
}If you are using Lock passwordless and have specified the .magicLink option to send the user a universal link then you will need to add the following to your AppDelegate.swift:
func application(_ application: UIApplication, continue userActivity: NSUserActivity, restorationHandler: @escaping ([Any]?) -> Void) -> Bool {
return Lock.continueAuth(using: userActivity)
}.withConnections {
$0.sms(name: "sms")
}.withConnections {
$0.email(name: "email")
}Lock provides numerous options to customize the Lock experience.
Allows Lock to be dismissed by the user. By default this is false.
.withOptions {
$0.closable = true
}By default Lock will use Auth0's Terms of Service and Privacy Policy
.withOptions {
$0.termsOfService = "https://mycompany.com/terms"
$0.privacyPolicy = "https://mycompany.com/privacy"
}- logLevel: By default this is
.off, Syslog logging levels are supported. - logHttpRequest: Log Auth0.swift API requests. By default this is
false - loggerOutput: Specify output handler, by default this uses the
printstatement.
.withOptions {
$0.logLevel = .all
$0.logHttpRequest = true
$0.loggerOutput = CleanroomLockLogger()
}In the code above, the loggerOutput has been set to use CleanroomLogger. This can typically be achieved by implementing the loggerOutput protocol. You can of course use your favorite logger library.
class CleanroomLockLogger: LoggerOutput {
func message(_ message: String, level: LoggerLevel, filename: String, line: Int) {
let channel: LogChannel?
switch level {
case .debug:
channel = Log.debug
case .error:
channel = Log.error
case .info:
channel = Log.info
case .verbose:
channel = Log.verbose
case .warn:
channel = Log.warning
default:
channel = nil
}
channel?.message(message, filePath: filename, fileLine: line)
}
}Scope used for authentication. By default is openid. It will return not only the access_token, but also an id_token which is a JSON Web Token (JWT) containing user information.
.withOptions {
$0.scope = "openid name email picture"
}Allows you to set provider scopes for oauth2/social connections with a comma separated list. By default is empty.
.withOptions {
$0.connectionScope = ["facebook": "user_friends,email"]- allow: Which database screens will be accessible, the default is enable all screens e.g.
.Login, .Signup, .ResetPassword - initialScreen: The first screen to present to the user, the default is
.login. - usernameStyle: Specify the type of identifier the login will require. The default is either
[.Username, .Email]. However it's important to note that this option is only active if you have set the requires_username flag totruein your Auth0 Dashboard
.withOptions {
$0.allow = [.Login, .ResetPassword]
$0.initialScreen = .login
$0.usernameStyle = [.Username]
}When signing up the default information requirements are the user's email and password. You can expand your data capture requirements as needed.
.withOptions {
$0.customSignupFields = [
CustomTextField(name: "first_name", placeholder: "First Name", icon: LazyImage(name: "ic_person", bundle: Lock.bundle)),
CustomTextField(name: "last_name", placeholder: "Last Name", icon: LazyImage(name: "ic_person", bundle: Lock.bundle))
]
}Note: You must specify the icon to use with your custom text field and store it in your App's bundle.
By default password manager support using 1Password is enabled for database connections, although you will still need to have the 1Password app installed for the option to be visible in the login and signup screens. You can disable 1Password support using the enabled property of the passwordManager.
.withOptions {
$0.passwordManager.enabled = false
}By default the appIdentifier will be set to the app's bundle identifier and the displayName will be set to the app's display name. You can customize these as follows:
.withOptions {
$0.passwordManager.appIdentifier = "www.myapp.com"
$0.passwordManager.displayName = "My App"
}You will need to add the following to your app's Info.plist:
<key>LSApplicationQueriesSchemes</key>
<array>
<string>org-appextension-feature-password-management</string>
</array>If your
Info.plistis not shown in this format, you can Right Click onInfo.plistin Xcode and then select Open As / Source Code.
If you see the following debug error:
canOpenURL: failed for URL: "org-appextension-feature-password-management://" - error: "This app is not allowed to query for scheme org-appextension-feature-password-management"
This is normal and expected behavior when there is no app that can open a custom URL. In this case when the 1Password app is not installed. Unfortunately, the message can be a little confusing but it is coming from iOS itself.
By default a show password icon is shown in password fields to toggle visibility of the input text. You can disable this using the allowShowPassword option.
.withOptions {
$0.allowShowPassword = false
}Note: Show password will not be available if the [Password Manager](#Password Manager) is available.
- enterpriseConnectionUsingActiveAuth: By default Enterprise connections will use Web Authentication. However you can specify which connections will alternatively use credential authentication and prompt for a username and password.
- activeDirectoryEmailAsUsername: When Lock request your enterprise credentials after performing Home Realm Discovery (HRD), e.g. for Active Directory, it will try to prefill the username for you. By default it will parse the email's local part and use that as the username, e.g.
john.doe@auth0.comwill bejohn.doe. If you don't want that you can turn on this flag and it will just use the email address.
.withOptions {
$0.activeDirectoryEmailAsUsername = true
$0.enterpriseConnectionUsingActiveAuth = ["enterprisedomain.com"]
}Auth0 helps you to:
- Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, amongst others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.
- Add support for Custom OAuth2 Connections.
- Add authentication through more traditional username/password databases.
- Add support for linking different user accounts with the same user.
- Support for generating signed JSON Web Tokens to call your APIs and flow the user identity securely.
- Analytics of how, when and where users are logging in.
- Pull data from other sources and add it to the user profile, through JavaScript rules.
- Go to Auth0 and click Sign Up.
- Use Google, GitHub or Microsoft Account to login.
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.