Name: Guardian.swift
Owner: Auth0
Description: Swift toolkit for Auth0 Guardian API
Created: 2016-08-05 13:43:45.0
Updated: 2018-05-23 16:58:53.0
Pushed: 2018-05-23 16:58:51.0
Homepage: https://auth0.com/guardian
Size: 285
Language: Swift
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Guardian is Auth0's multi-factor authentication (MFA) service that provides a simple, safe way for you to implement MFA.
Auth0 is an authentication broker that supports social identity providers as well as enterprise identity providers such as Active Directory, LDAP, Google Apps and Salesforce.
This SDK allows you to integrate Auth0's Guardian multi-factor service in your own app, transforming it in the second factor itself. Your users will get all the benefits of our frictionless multi-factor authentication from your app.
iOS 9.3+ and Swift 3 is required in order to use Guardian.
To use this SDK you have to configure your tenant's Guardian service with your own push notification credentials, otherwise you would not receive any push notifications. Please read the docs about how to accomplish that.
Guardian.swift is available through CocoaPods. To install it, simply add the following line to your Podfile:
"Guardian"
In your Cartfile add this line
ub "auth0/Guardian.swift"
Guardian
is the core of the SDK. To get things going you'll have to import the library:
rt Guardian
Then you'll need the Auth0 Guarduan domain for your account:
domain = "{YOUR_ACCOUNT_NAME}.guardian.auth0.com"
An enrollment is a link between the second factor and an Auth0 account. When an account is enrolled you'll need it to provide the second factor required to verify the identity.
For an enrollment you need the following things, besides your Guardian Domain:
String
containing the 64 bytes (expressed in hexadecimal format)In case your app is not yet using push notifications or you're not familiar with it, you should check their docs.
after your have all of them, you can enroll your device
dian
.enroll(forDomain: "{YOUR_GUARDIAN_DOMAIN}",
usingUri: "{ENROLLMENT_URI}",
notificationToken: "{APNS_TOKEN}",
keyPair: keyPair)
.start { result in
switch result {
case .success(let enrollment):
// success, we have the enrollment data available
case .failure(let cause):
// something failed, check cause to see what went wrong
}
}
On success you'll obtain the enrollment information, that should be secured stored in your application. This information includes the enrollment identifier, and the token for Guardian API associated to your device for updating or deleting your enrollment.
Guardian.swift provides a convenience class to generate an RSA key pair and store it in iOS Keychain.
rsaKeyPair = RSAKeyPair.new(
usingPublicTag: "com.auth0.guardian.enroll.public",
privateTag: "com.auth0.guardian.enroll.private"
)
The tags should be unique since it's the identifier of each key inside iOS Keychain.
Since the keys are already secured stored inside iOS Keychain, you olny need to store the identifiers
Once you have the enrollment in place, you will receive a push notification every time the user has to validate his identity with MFA.
Guardian provides a method to parse the data received from APNs and return a Notification
instance ready to be used.
et notification = Guardian.notification(from: userInfo) {
// we have received a Guardian push notification
Once you have the notification instance, you can easily allow the authentication request by using
the allow
method. You'll also need the enrollment that you obtained previously.
In case you have more than one enrollment, you'll have to find the one that has the same id
as the
notification (the enrollmentId
property).
dian
.authentication(forDomain: "{YOUR_GUARDIAN_DOMAIN}", andEnrollment: enrollment)
.allow(notification: notification)
.start { result in
switch result {
case .success:
// the auth request was successfuly allowed
case .failure(let cause):
// something failed, check cause to see what went wrong
}
}
To deny an authentication request just call reject
instead. You can also send a reject reason if
you want. The reject reason will be available in the guardian logs.
dian
.authentication(forDomain: "{YOUR_GUARDIAN_DOMAIN}", andEnrollment: enrollment)
.reject(notification: notification)
// or reject(notification: notification, withReason: "hacked")
.start { result in
switch result {
case .success:
// the auth request was successfuly rejected
case .failure(let cause):
// something failed, check cause to see what went wrong
}
}
If you want to delete an enrollment -for example if you want to disable MFA- you can make the following request:
dian
.api(forDomain: "{YOUR_GUARDIAN_DOMAIN}")
.device(forEnrollmentId: "{USER_ENROLLMENT_ID}", token: "{ENROLLMENT_DEVICE_TOKEN}")
.delete()
.start { result in
switch result {
case .success:
// success, the enrollment was deleted
case .failure(let cause):
// something failed, check cause to see what went wrong
}
}
Auth0 helps you to:
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.