iOS Swift: Touch ID Authentication

By Martin Walsh

This tutorial will show you how to use Touch ID and the Credentials Manager. We recommend that you log in to follow this quickstart with examples configured for your account.

I want to integrate with my app

15 minutes

Before You Start
Apply Touch ID Authentication
Add the Credentials Manager
Add Login
Renew the User's Credentials
Enable Touch ID
Improve the User Experience

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it out on Github.

View on Github

System requirements: CocoaPods 1.6 (Beta) | Xcode 10.1 | iOS 9+

Before you continue with this tutorial, make sure that you have completed the previous tutorials. This tutorial assumes that:

You have integrated Auth0.swift as a dependency in your project.
You are familiar with presenting the login screen. To learn more, see the Login tutorial.
You know how to renew a user's credentials with a Refresh Token. To learn more, see the User Sessions tutorial.

This tutorial shows you how to renew the user's credentials without presenting the user with the login page. Additionally, the guide shows you how to use Touch ID to validate the renewal.

This tutorial covers how to use the credentials manager utility in Auth0.swift to streamline the management of user credentials and Touch ID.

Import the Auth0 module:

import Auth0

Was this helpful?/

Add a property to your class for the credentials manager:

let credentialsManager: CredentialsManager!

Was this helpful?/

Next, initialize the credentials manager in the appropriate init method of your class:

self.credentialsManager = CredentialsManager(authentication: Auth0.authentication())

Was this helpful?/

Present the login page. Add the offline_access scope to receive a refreshToken.

Read more about presenting the login page in the User Sessions tutorial.

// HomeViewController.swift

Auth0
    .webAuth()
    .scope("openid profile offline_access")
    .audience("https://YOUR_DOMAIN/userinfo")
    .start {
        switch $0 {
        case .failure(let error):
            // Handle the error
            print("Error: \(error)")
        case .success(let credentials):
            // Store credentials securely with the Credentials Manager
            self.credentialsManager.store(credentials: credentials)
        }
}

Was this helpful?/

When the user logs in, the credentials object is encrypted and stored securely in the keychain.

To automatically renew the user's credentials, use the credentials method in the credentials manager.

The credentials manager retrieves stored credentials from the keychain and checks if the Access Token is still valid:

If the current credentials are still valid, the credentials manager returns them
If the Access Token has expired, the credentials manager renews them using the Refresh Token and returns them

Add the following:

self.credentialsManager.credentials { error, credentials in
    guard error == nil, let credentials = credentials else {
        // Handle Error
        // Route user back to Login Screen
    }
    // There is no need to store the credentials as you did in Login. The Credentials Manager will do this for you internally
    // Continue routing the user as authentication was a success
}

Was this helpful?/

After the line that initialized the credentials manager, add a line that enables Touch ID:

self.credentialsManager.enableBiometrics(withTitle: "Touch to Authenticate")

Was this helpful?/

Next time you call the credentials method, the user will be prompted for their Touch ID with a "Touch to Authenticate" message.

If the user has logged out and you have cleared the credentials from the credentials manager, for example, with the following:

self.credentialsManager.clear()

Was this helpful?/

The user is still prompted for their Touch ID. This returns an error in the credentials closure because there are no credentials to renew from.

The credentials manager has a hasValid() method that lets you know if there are valid credentials that can be returned directly or renewed and returned.

You can add this check before you call the credentials method:

guard self.credentialsManager.hasValid() else {
    // Route to Login
}

Was this helpful?/

Did it work?

Any suggestion or typo? Edit on GitHub