- How can I disable the login alert box?
- How can I disable the logout alert box?
- Is there a way to disable the login alert box without
useEphemeralSession()? - How can I change the message in the alert box?
- How can I programmatically close the alert box?
Under the hood, Auth0.swift uses ASWebAuthenticationSession to perform web-based authentication, which is the API provided by Apple for such purpose.
That alert box is displayed and managed by ASWebAuthenticationSession, not by Auth0.swift, because by default this API will store the session cookie in the shared Safari cookie jar. This makes single sign-on (SSO) possible. According to Apple, that requires user consent.
💡 See this blog post for a detailed overview of SSO on iOS.
If you don't need SSO, you can disable this behavior by adding useEphemeralSession() to the login call. This will configure ASWebAuthenticationSession to not store the session cookie in the shared cookie jar, as if using an incognito browser window. With no shared cookie, ASWebAuthenticationSession will not prompt the user for consent.
Auth0
.webAuth()
.useEphemeralSession() // No SSO, therefore no alert box
.start { result in
// ...
}Note that with useEphemeralSession() you don't need to call clearSession(federated:) at all. Just clearing the credentials from the application will suffice. What clearSession(federated:) does is clear the shared session cookie, so that in the next login call the user gets asked to log in again. But with useEphemeralSession() there will be no shared cookie to remove.
⚠️ useEphemeralSession()relies on theprefersEphemeralWebBrowserSessionconfiguration option ofASWebAuthenticationSession. This option is only available on iOS 13+ and macOS, souseEphemeralSession()will have no effect on iOS 12. To improve the experience for iOS 12 users, see the approach described below.
If you need SSO and/or are willing to tolerate the alert box on the login call, but would prefer to get rid of it when calling clearSession(federated:), you can simply not call clearSession(federated:) and just clear the credentials from the application. This means that the shared session cookie will not be removed, so to get the user to log in again you need to add the "prompt": "login" parameter to the login call.
Auth0
.webAuth()
.useEphemeralSession()
.parameters(["prompt": "login"]) // Ignore the cookie (if present) and show the login page
.start { result in
// ...
}Otherwise, the browser modal will close right away and the user will be automatically logged in again, as the cookie will still be there.
⚠️ Keeping the shared session cookie may not be an option if you have strong privacy and/or security requirements, for example in the case of a banking application.
No. According to Apple, storing the session cookie in the shared Safari cookie jar requires user consent. The only way to not have a shared cookie is to configure ASWebAuthenticationSession with prefersEphemeralWebBrowserSession set to true, which is what useEphemeralSession() does.
Auth0.swift has no control whatsoever over the alert box. Its contents cannot be changed. Unfortunately, that's a limitation of ASWebAuthenticationSession.
Auth0.swift has no control whatsoever over the alert box. It cannot be closed programmatically. Unfortunately, that's a limitation of ASWebAuthenticationSession.