iOS Swift Touch ID Authentication

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • CocoaPods 1.2.1
  • Version 8.3.2 (8E2002)
  • iPhone 7 - iOS 10.3 (14E269)
  • Touch ID Enrolled Device
Show requirements

Before Starting

You should be familiar with previous tutorials. This tutorial assumes that you've integrated the Auth0.swift dependencies in your project and you're familiar with presenting the Login. For further information, check out the Login quickstart. It is recommended that you are explore the User Sessions quickstart if you are not familiar with renewal of credentials using a refreshToken.

Touch ID Authentication

Here's the scenario: You are using webAuth to present the Hosted Login Page (HLP) for the user Login. After user authentication you want to store the user's credentials and use the refreshToken to renew the user's credentials without having to present the HLP. Additionally you want to utilize Touch ID to validate this renewal process.

You will to be using the Credentials Manager utility in Auth0.swift to streamline the management of user credentials and Touch ID.

First, import the Auth0 module:

import Auth0

The Credentials Manager

Add a property to your class for the credentials manager:

let credentialsManager: CredentialsManager!

Next, ensure the credentials manager is initialized in the appropriate init method of your class:

self.credentialsManager = CredentialsManager(authentication: Auth0.authentication())

Login

Present the hosted login page, as per the User Sessions quickstart, you want to receive a refreshToken so you need to add the offline_access scope.

// HomeViewController.swift

Auth0
    .webAuth()
    .scope("openid profile offline_access")
    .audience("https://YOUR_AUTH0_DOMAIN/userinfo")
    .start {
        switch $0 {
        case .failure(let error):
            // Handle the error
            print("Error: \(error)")
        case .success(let credentials):
            // Store credentials securely with the Credentials Manager
            self.credentialsManager.store(credentials: credentials)
        }
}

Upon success, the credentials object will be encrypted and stored securely in the keychain using the Credentials Manager.

Renew the User's Credentials

To automatically renew the user's credentials you can use the credentials method in the Credentials Manager.

  • It will retrieve the stored credentials from the keychain.
  • Validate the accessToken is still valid.
  • If the current credentials are still valid they will be returned.
  • If the accessToken has expired, the credentials will be automatically renewed using the refreshToken and returned.

Add the following:

self.credentialsManager.credentials { error, credentials in
    guard error == nil, let credentials = credentials else {
        // Handle Error
        // Route user back to Login Screen
    }
    // There is no need to store the credentials as you did in Login.  The Credentials Manager will do this for you internally
    // Continue routing the user as authentication was a success
}

If you were paying attention, you should have noticed there was no Touch ID prompt.

Enable Touch ID

The Credentials Manager can take care of this for you, once enabled. Go back to the snippet that initialized the Credentials Manager and add:

self.credentialsManager.enableTouchAuth(withTitle: "Touch to Authenticate")

Next time you call the credentials method, the user will be prompted for their Touch ID with the title "Touch to Authenticate".

Improving the User Experience

What happens if the user has logged out and you have cleared the credentials from the Credentials Manager e.g.

self.credentialsManager.clear()

In this case the user will still be prompted for their touch and an error will be returned in the credentials closure as there are no credentials to renew from.

The Credentials Manager has a hasValid() method that quickly lets you know if there are valid credentials that can be returned either directly or renewed and returned.

You can add this check before you call the credentials method.

guard self.credentialsManager.hasValid() else {
    // Route to Login
}
Previous Tutorial
6. Linking Accounts
Use Auth0 for FREECreate free Account