Ping SDKs

Step 2. Configure connection properties

In this step, you configure the "swiftui-oidc" app to connect to the OAuth 2.0 application you created in PingOne Advanced Identity Cloud, and display the login UI of the server.

  1. In Xcode, on the File menu, click Open.

  2. Navigate to the sdk-sample-apps folder you cloned in the previous step, navigate to iOS > swiftui-oidc > PingExample > PingExample.xcodeproj, and then click Open.

  3. In the Project Navigator pane, navigate to PingExample > PingExample > Utilities, and open the ConfigurationManager file.

  4. Locate the ConfigurationViewModel function which contains placeholder configuration properties.

    The function is commented with //TODO: in the source to make it easier to locate. 
    return ConfigurationViewModel(
    clientId: "[CLIENT ID]",
    scopes: ["openid", "email", "address", "phone", "profile"],
    redirectUri: "[REDIRECT URI]",
    signOutUri: "[SIGN OUT URI]",
    discoveryEndpoint: "[DISCOVERY ENDPOINT URL]",
    environment: "[ENVIRONMENT - EITHER AIC OR PingOne]",
    cookieName: "[COOKIE NAME - OPTIONAL (Applicable for AIC only)]",
    browserSeletorType: .authSession
)

  5. In the ConfigurationViewModel function, update the following properties with the values you obtained when preparing your environment.

    clientId

    The client ID from your OAuth 2.0 application in PingOne Advanced Identity Cloud.

    For example, sdkPublicClient

    scopes

    The scopes you added to your OAuth 2.0 application in PingOne Advanced Identity Cloud.

    For example, address email openid phone profile

    redirectUri

    The redirect_uri to return to after logging in with the server UI, for example the URI to your client app.

    This value must exactly match a value configured in your OAuth 2.0 client.

    For example, org.forgerock.demo://oauth2redirect.

    signOutUri

    The URI to redirect to after logging out of the authorization server, for example the URI to your client app.

    This value must exactly match a value configured in your OAuth 2.0 client.

    For example, org.forgerock.demo://oauth2redirect.

    discoveryEndpoint

    The .well-known endpoint from your PingOne Advanced Identity Cloud tenant.

    How do I find my PingOne Advanced Identity Cloud .well-known URL?

    You can view the .well-known endpoint for an OAuth 2.0 client in the PingOne Advanced Identity Cloud admin console:

    1. Log in to your PingOne Advanced Identity Cloud administration console.

    2. Click Applications, and then select the OAuth 2.0 client you created earlier. For example, sdkPublicClient.

    3. On the Sign On tab, in the Client Credentials section, copy the Discovery URI value.

    For example, https://openam-forgerock-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration

    environment

    Ensures the sample app uses the correct behavior for the different servers it supports, for example what logout parameters to use.

    For PingOne Advanced Identity Cloud and PingAM servers, specify AIC.

    cookieName

    The name of the cookie your PingOne Advanced Identity Cloud tenant uses to store SSO tokens in client browsers.

    How do I find my PingOne Advanced Identity Cloud cookie name?

    To locate the cookie name in an PingOne Advanced Identity Cloud tenant:

    1. Navigate to Tenant settings > Global Settings

    2. Copy the value of the Cookie property.

    For example, ch15fefc5407912

    browserSeletorType

    You can specify what type of browser the client iOS device opens to handle centralized login.

    Each browser has slightly different characteristics, which make them suitable to different scenarios, as outlined in this table:

    Browser type Characteristics

    .authSession

    Opens a web authentication session browser.

    Designed specifically for authentication sessions, however it prompts the user before opening the browser with a modal that asks them to confirm the domain is allowed to authenticate them.

    This is the default option in the Ping SDK for iOS.

    .ephemeralAuthSession

    Opens a web authentication session browser, but enables the prefersEphemeralWebBrowserSession parameter.

    This browser type does not prompt the user before opening the browser with a modal.

    The difference between this and .authSession is that the browser does not include any existing data such as cookies in the request, and also discards any data obtained during the browser session. This means that an ephemeralAuthSession is not suitable when you require single sign-on (SSO) between your iOS apps.

    Use this browser type when you do not want the user’s existing sessions to affect the authentication.

    .nativeBrowserApp

    Opens the installed browser that is marked as the default by the user. Often Safari.

    The browser opens without any interaction from the user. However, the browser does display a modal when returning to your application.

    .sfViewController

    Opens a Safari view controller browser.

    Your client app is not able to interact with the pages in the sfViewController or access the data or browsing history.

    The view controller opens within your app without any interaction from the user. As the user does not leave your app, the view controller does not need to display a warning modal when authentication is complete and control returns to your application.

    The result resembles the following:

    return ConfigurationViewModel(
    clientId: "sdkPublicClient",
    scopes: ["openid", "email", "address", "phone", "profile"],
    redirectUri: "org.forgerock.demo://oauth2redirect",
    signOutUri: "org.forgerock.demo://oauth2redirect",
    discoveryEndpoint: "https://openam-forgerock-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration",
    environment: "AIC",
    cookieName: "ch15fefc5407912",
    browserSeletorType: .authSession
)

  6. Optionally, specify ACR values to choose which authentication journey the server uses.

    1. Navigate to PingExample > PingExample > ViewModels, and open the OIDCViewModel file.

    2. In the startOIDC() function, add an acr_values parameter to the authorization request by using the setCustomParam() method:

      public func startOIDC() async throws → FRUser {
    return try await withCheckedThrowingContinuation({
        (continuation: CheckedContinuation<FRUser, Error>) in
        Task { @MainActor in
            FRUser.browser()?
                .set(presentingViewController: self.topViewController!)
                .set(browserType: ConfigurationManager.shared.currentConfigurationViewModel?.getBrowserType() ?? .authSession)
                .setCustomParam(key: "acr_values", value: "sdkUsernamePasswordJourney")
                .build().login { (user, error) in
                    if let frUser = user {
                        Task { @MainActor in
                            self.status = "User is authenticated"
                        }
                        continuation.resume(returning: frUser)
                    } else {
                        Task { @MainActor in
                            self.status = error?.localizedDescription ?? "Error was nil"
                        }
                        continuation.resume(throwing: error!)
                    }
                }
        }
    })
}

      Enter one or more of the ACR mapping keys as configured in the OAuth 2.0 provider service.

      To learn more, refer to Choose journeys with ACR values.

      You can list the available keys by inspecting the acr_values_supported property in the output of your /oauth2/.well-known/openid-configuration endpoint.