Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD B2C Refresh Token/ID Token iOS Swift 4

Tags:

ios

swift

azure

azure-ad-b2c

I'm developing an iOS app, utilizing the ROPC flow with AADB2C as the backend endpoints supporting this. https://login.microsoftonline.com/{TENANTNAME}.onmicrosoft.com/oauth2/v2.0/token?p={ROPC Policy Name}

I've successfully been able to request and retrieve an access token, refresh token and ID token upon a customer's first time successfully logging in using an email/password.

After this successful login, every subsequent login, we want to leverage biometrics (touch/face ID). My first thought was to store the refreshToken in the Keychain, check for the presence of a refreshToken before forcing a user to input his/her email/pw.

If a refreshToken exists, then I imagine I would use a call to the token endpoint, using a ?p=refresh_token as opposed to the ?p={INSERT ROPC Policy Name}and if I return a success, then I use Touch/Face ID to login.

The other thought I had was to just use the token ID to authenticate.

Thus my question is two-fold:

  1. What is the better practice - for iOS native application to use a refresh token or an ID token.

  2. I've tried using the refresh token, swapping out the {ROPC Policy Name} parameter with ?p=refresh_token, but every time I tried configuring the request, I get an error saying "The request body must contain the following parameter: 'grant_type'" I've added "refresh_token" as the key grant_type's value and that error still comes up. -- Why is that and how do I get around it if refresh token grant_type is better.

like image 677
Tim Avatar asked Oct 19 '25 04:10

Tim

1 Answers

You are correct.

You can save the refresh token to the key chain and protect the use of this refresh token with Face or Touch ID.

The "Redeem a refresh token" section of the "Configure the resource owner password credentials flow in Azure AD B2C" document describes how to redeem a refresh token that was issued for a resource owner policy:

POST /{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&response_type=id_token
&client_id={client_id}
&resource={client_id}
&refresh_token={refresh_token}
like image 140
Chris Padgett Avatar answered Oct 20 '25 17:10

Chris Padgett
Sign in to Comment

Related questions

How to remove firebase observer?
What is the difference between Segue and using instantiateViewController?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!