Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12066

OpenAM OAuth 2.0 iOS Sample App build documentation needs an update


    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 13.0.0, 13.5.0, 14.0.0, 14.5.0
    • Fix Version/s: None
    • Component/s: samples
    • Labels:


      The current documentation explaining how to build and use the OAuth 2.0 iOS sample application is located here, as per the OpenAM 13 to 14.5 guides.

      For example, for AM 5.5, the download and build documentation links to that sample application are mentioned here


      That build documentation needs to be updated to work with more recent iOS versions such as IOS 11. I noticed the following issues when using the current documentation:


      1- In order to build the OpenAM REST SDK required by the mobile application, the Rakefile of the openam-ios-rest-sdk project needs to be updated: for example, for iOS 11.1, it should contain the line "

      SDK_VERSION = ENV["SDK_VERSION"] || "11.1"


      instead of 

      SDK_VERSION = ENV["SDK_VERSION"] || "7.0"


      2- Due to new security restrictions in more recent iOS versions, a couple of settings (in the mobile application configuration and when using it) need to be changed :


      2a) I added the following keys to the openam-ios-oauth2-sample-appTests-Info.plist file, in order to allow it to connect to the OpenAM web site:












      Note: I'm not sure these keys are actually required, maybe only the change described below in 2b is sufficient .


      2b) It seems like more recent iOS versions require mobile applications to issue HTTPS connections instead of just plain HTTP connection. In order for the mobile application to connect to https://openam.example.com, the mobile device has to trust the certificate of the CA which signed the OpenAM server certificate, there's no more way to trust self-signed certificates.

      In order to do so, I used the Keystore Explorer tool, and did the following:

      • created a new keystore with password admin123 (see attached keystore.jks file)
      • created 2 couples of key pairs, one for my CA with the CA constraint/extension, one for the OpenAM server itself
      • signed the OpenAM server public key with the CA private key
      • exported the CA certificate in a new file called forgerock_demo_ca.crt and copied it to the document root of a Web Server accessible to the mobile app (I used the document root of the Tomcat application server used to run OpenAM)
      • copied the keystore to the Tomcat instance used by AM and configured that instance to use that keystore
      • accessed the following URL from Safari in the mobile device to have it trust the CA certificate: [Demo CA certificate|https://openam.example.com/forgerock_demo_ca.crt]
      • to make sure the CA certificate is trusted by the mobile device, go to the Settings -> General -> About -> Certificate Trust Settings menu (for iOS 11 at least). You should see the ForgeRock Demo CA root CA, make sure the "Enable Full Trust" option is on . (see screenshot below):


      3) The mobile application sends the scope parameter when exchanging the authorization code for the access token, which is not allowed by AM. The following line (of the getAccessTokenWithCode method) in the openam-ios-rest-sdk/openam-ios-rest-sdk/OAuth2/Model/OAuth2.m file can be commented to prevent the mobile application from sending that scope parameter at this time:

      //[params setValue:[self.delegate scope] forKey:@"scope"];


      4) I had to change the "Code Signing Identity" to "iOS Developer" in the build settings of the mobile application to allow Xcode to compile it




            • Assignee:
              cgrosjean Cyril Grosjean
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: