Lock iOS: SSO on Mobile Apps

Lock allows you to easily implement single sign-on (SSO). Single sign-on is a mechanism that allows a user to use the same credentials between multiple applications. If you have two different applications and you have a user that is already authenticated app A, single sign-on allows that user to automatically be authenticated in app B as well. The experience is similar to what happens with Facebook and it's companion Messenger app, as well as Foursquare and Swarm.

In order to do SSO on Mobile Apps, we need to use a shared keychain. We'll learn how to do this throughout this post.

To enable keychain sharing you'll have to define a keychain access group with the following format: <Bundle Seed Id>.<Group Name>

e.g.: ABC1234DEF.mysharedgroup

The Bundle Seed Id is a unique (within the App Store) ten character string that is generated by Apple after you create your appId (using Apple's dev site). Each application identifier has the following format:

<Bundle Seed Id>.<Bundle Indentifier>

So each app that has the same Bundle Seed can access to values stored in groups with the same prefix so the apps:

  • ABC1234DEF.com.auth0.awesomeapp1
  • ABC1234DEF.com.auth0.awesomeapp2

Can read/write values stored in the group ABC1234DEF.mysharedgroup

In your project you'll need to add an entitlements file for each app declaring the access group. You can do it in capabilities tab of the project's target (under the label Keychain Sharing), just turn it on and add only the group name (without the Bundle Seed Id).

To obtain a value form the Keychain:

A0SimpleKeychain *keychain = [A0SimpleKeychain keychainWithService:@"Auth0" accessGroup:@"ABC1234DEF.mysharedgroup"];
NSString *refreshToken = [keychain stringForKey:@"refresh_token"];
let keychain = A0SimpleKeychain.keychainWithService("Auth0", accessGroup:"ABC1234DEF.mysharedgroup")
let refreshToken = keychain.stringForKey("refresh_token")

To store a value in the Keychain:

A0SimpleKeychain *keychain = [A0SimpleKeychain keychainWithService:@"Auth0" accessGroup:@"ABC1234DEF.mysharedgroup"];
[keychain setString:auth0User.refreshToken forKey:@"refresh_token"];
let keychain = A0SimpleKeychain.keychainWithService("Auth0", accessGroup:"ABC1234DEF.mysharedgroup")
keychain.setString(auth0User.refreshToken, forKey:"refresh_token")

This examples our a Keychain wrapper SimpleKeychain. For more information on how to use it please go to it's Github repo

You can now learn how to use the stored refresh_token with your app to be able to call an API securely in this other guide