Auth Connect
Ionic Auth Connect handles logging in and/or registering a user with an authentication provider (such as Auth0, Azure AD, AWS Cognito, or Okta) using industry standard OAuth/OpenId Connect on iOS, Android, or on the web.
When used with Ionic Identity Vault, it provides a complete security solution for authentication and storage of logged-in credentials.
Auth Connect also allows your app to support multiple authentication providers. Should you need to change providers, easily switch between them without having to develop a new solution. Learn more.
#
Demo AppWe have a demo app available that shows the complete login/logout experience using Auth0. Swap the Auth0 configuration in the IonicAuthOptions
object to switch to a different auth provider.
#
InstallationIf you have not already setup Ionic Enterprise in your app, follow the one-time setup steps.
Next, install the plugin:
- Capacitor
- Cordova
Capacitor users will need to manually update the native project config files.
For Android, update the manifest file located at android/app/src/main/AndroidManifest.xml by adding the following intents next to the other intents in the main activity node:
For iOS, update the file located at ios/App/App/Info.plist by adding the following inside the existing CFBundleURLTypes node:
note
You will need to update the $AUTH_URL_SCHEME
placeholder with the bundle id of your app in both files when using Capacitor.
#
Configuring Auth ConnectThe main entry point into Auth Connect is done via the IonicAuth class. To configure IonicAuth
, you pass in a configuration object when creating a new instance of the class.
This is done by passing in an instance of IonicAuthOptions to the IonicAuth class. The IonicAuth class is the main interface exposed by the Auth Connect plugin, and is expected to be subclassed for specific behaviors and/or events.
#
Supported ProvidersLeveraging the OAuth/OpenId Connect protocols, Auth Connect supports:
#
WorkflowThe typical Auth Connect workflow consists of:
- Your client app instantiates the Auth Connect Plugin, passing in the IonicAuthOptions object. Configure it based on the chosen auth provider.
- On app load, the hosting app calls IsAuthenticated to check if the user is logged in already.
- If the user isn't logged in, redirect the app to a Login page and call the Login method. Auth Connect loads the chosen auth provider's login page.
- The app user enters their username and password and taps the provider's login button.
- On success, Auth Connect automatically retrieves and stores the user's access token. The onLoginSuccess method is fired, and the app can redirect to the desired protected homepage.
- The IsAuthenticated method can be called at any point to refresh the access token.
- Use GetAccessToken to retrieve the access token if making any API requests to the auth provider.
note
Web apps using the current mode need to implement callback handlers on login and logout
#
Web Configuration OptionsWhen using Auth Connect in a web app, you have two options on how the login window will appear for your users. The window can either pop up in a new window/tab (known as "POPUP" mode), or it can occur in the current window ("CURRENT" mode).
Here's a visual comparison:
#
Popup ModePopup mode will pop open a new window/tab to the authentication provider, and after the user authenticates, the window will close and the user will be back at your app.
Popup mode is the default, but you can explicitly specify it by setting the implicitLogin option to "POPUP" in the IonicAuthOptions
configuraiton.
When using popup mode, you don't want to do any type of logic or page redirection in your redirectUri
or logoutUrl
pages. Once the user is done authenticating, the auth provider will redirect back to these pages, and Auth Connect will detect this and close the window.
Since these pages might briefly appear to your users, we recommend either keeping the page blank or have a simple branded page that they will see before the window closes.
#
Current ModeCurrent mode redirects the user to the authentication provider in their current window, so they will temporarily leave your app and be returned to the redirectUri
after authentication is done.
To use current mode, set impliciLogin
to "CURRENT" in the IonicAuthOptions
configuration.
When using current mode, you need to finish handling the login/logout process in the redirectUri
and logoutUrl
pages. This is required because in current mode, the user leaves your app completely, and Auth Connect needs to know when the user is done authenticating. To do so, use the handleLoginCallback, and handleLogoutCallback methods respectively:
#
Testing LocallyTo test an Ionic app using Auth Connect locally, configure IonicAuthOptions
to use http://localhost:8100/
as the base URL for properties such as redirectUri
and logoutUrl
. Then, run the ionic serve
command.
#
Checking Authentication StatusAuth Connect provides the isAuthenticated()
convenience method for checking if there is a current session and refreshing that session if it is already expired. However, there are cases where you may want to implement your own method for checking if the user is authenticated. An example of needing to do this would be to handle checking the authentication status when the device is offline.
The isAuthenticated()
method relies on the application having a connection to the internet because if the access token is expired, it will automatically attempt to refresh that token with the authentication provider. If the device is not connected to the network during this check, the refresh attempt will fail and the method will report back that the user is not currently authenticated.
Auth Connect provides access to the various building blocks necessary to create your own method for checking authentication status. A simple example for gracefully handling offline might look like the following:
#
Microsoft Edge (Pre-Chromium) SupportDue to a bug in the pre-Chromium version of Edge, you cannot overide a method in a subclass.
For instance, it is common to create a class that extends IonicAuth
like this:
If you need to support the pre-Chromium version of Edge, you will need to write your own method in the subclass that calls into the base class as follows:
You will then need to change external references from this.authentication.isAuthenticated()
to this.authentication.myAppIsAuthenticated()
(the name is not important so much as the fact that you are not overriding the base class method, pick a name that makes sense to you).
You will also need to use the CURRENT
behavior for implicitLogin
on Edge.
Note: this is only required if you need to support pre-Chromium Edge browsers. If you are creating a pure hybrid-native app or otherwise have no reason to support pre-Chromium Edge, then you can override methods like isAuthenticated()
in the usual manner.