Ionic Identity Vault
Ionic Identity Vault is an all-in-one frontend identity management system that combines security best practices and the latest in biometric authentication options available on iOS and Android.
The Vault manages secure user identity and session tokens, ensuring sensitive tokens are encrypted at rest, stored only in secure locations on the device, and unlocked only with biometric identity (TouchID/FaceID).
Without Ionic Identity Vault, Ionic developers have to resort to combining third party Cordova plugins, often resulting in insecure setups due to the lack of correct implementation of biometric and at-rest encryption strategies. Learn more.
Installation
If you have not already setup Ionic Enterprise in your app, follow the one-time setup steps.
Next, install the plugin:
- Capacitor
- Cordova
npm install @ionic-enterprise/identity-vault
npx cap sync
ionic cordova plugin add @ionic-enterprise/identity-vault
Update the native project config files:
_10// iOS - Info.plist_10<key>NSFaceIDUsageDescription</key>_10<string>Use Face ID to authenticate yourself and login</string>_10_10// Android - No additional changes needed
Reference App
A complete login/logout experience that includes biometrics (Face ID with passcode as a fallback), secure token storage, background data hiding, and session timeouts.
Configuring the Vault
The IonicIdentityVaultUser
class takes a generic session type which represents the type of the session you'll store in the vault. You can use the DefaultSession or extend the class to create a custom session. In the constructor of your Identity
service, the vault is configured by providing options to the super()
call:
_35interface MyCustomSession extends DefaultSession {_35 // username & token are inherited_35 email: string;_35 age: number;_35 nicknames: string[];_35}_35_35export class IdentityService extends IonicIdentityVaultUser<MyCustomSession> {_35_35constructor(private http: HttpClient, private router: Router, platform: Platform) {_35 super(platform, {_35 authMode: AuthMode.BiometricAndPasscode, // Use biometrics auth with passcode fallback_35 restoreSessionOnReady: false, // whether or not to immediately attempt to restore the session when the vault is ready_35 unlockOnReady: false, // set true to auto prompt the user to unlock when vault is ready_35 unlockOnAccess: true, // set to true to auto prompt the user to unlock on first read access_35 lockAfter: 5000, // lock after 5 seconds in the background_35 hideScreenOnBackground: true // when in app launcher mode hide the current screen and display the splashscreen_35 });_35_35 onVaultUnlocked(config: VaultConfig) {_35 //Route to my home page_35 }_35_35 onVaultLocked() {_35 //Route to my login page_35 }_35_35 async onPasscodeRequest(isPasscodeSetRequest: boolean) {_35 // Display a custom Passcode prompt and return the passcode as a string_35 // or return undefined to use the build in native prompts. isPasscodeSetRequest_35 // is true when attempting to set a new passcode on the vault, you can use_35 // it to do something like prompt the user twice for the pin._35 }_35_35}
Automatically adding your token to requests
If you'd like to automatically add your authorization token from your identity service to every request, you can see a simple example at in our demo repo.
Upgrading to v4.0.0
If you have Identity Vault <3.1.0, please see Upgrading from v3.0.0 to >=v3.1.0 before following these upgrade instructions.
- Upgrade your app to use
cordova-android
9.x (see the 9.0.0 milestone for progress) or Capacitor 2.x. - Install the new plugin version.
API Documentation
You can find the API and interface documentation for everything below. The main classes to pay attention to are:
- IonicIdentityVaultUser - Subclass this when creating your identity service.
- DefaultSession - This is the generic type that represents your session. Extend this to implement a custom session.
- IdentityVault - This is the lower level vault API. You can use this to implement advanced workflows including multi-tenant vaults.
Index
Enumerations
Interfaces
- DefaultSession
- IdentityVault
- IdentityVaultUser
- IonicNativeAuthPlugin
- LockEvent
- PluginConfiguration
- PluginOptions
- VaultConfig
- VaultDescriptor
- VaultError
- VaultOptions
Type aliases
Enumerations
AuthMode
AuthMode:
The type of authentication the vault should be configured to allow.
BiometricAndPasscode
BiometricAndPasscode:
Both biometric and passcode authentication should be allowed
BiometricOnly
BiometricOnly:
Biometrics authentication should only be allowed
BiometricOrPasscode
BiometricOrPasscode:
Use biometrics if it is available, otherwise use passcode
InMemoryOnly
InMemoryOnly:
Both biometric and passcode authentication should be disabled. With this setting all data in the vault will be cleared on lock or if the app is closed. Stored data is kept only in memory.
PasscodeOnly
PasscodeOnly:
Passcode authentication should only be allowed
SecureStorage
SecureStorage:
Both biometric and passcode authentication will be disabled but any stored values will persist and be stored securely at rest using the keychain and will be available without needing to authenticate via passcode or biometrics when the device is unlocked.
VaultErrorCodes
VaultErrorCodes:
The meaning of the error code in the thrown VaultError
AuthFailed
AuthFailed:
User authentication failed.
BiometricsNotEnabled
BiometricsNotEnabled:
The operation failed because biometric authentication is not enabled. This can occur when biometrics is not supported by the device or when biometrics has not been configured for the device or vault.
InvalidArguments
InvalidArguments:
The operation failed because the some of the vault provided arguments were invalid.
InvalidAuthMode
InvalidAuthMode:
The provided AuthMode is invalid. Should be one of AuthMode.
InvalidatedCredential
InvalidatedCredential:
The credentials were invalidated. This can happen when a user changes biometrics or passcode.
KeyNotFound
KeyNotFound:
The key was not found. This can happen when a user changes biometrics or passcode.
MismatchedPasscode
MismatchedPasscode:
The user provided mismatched passcodes.
MissingPasscode
MissingPasscode:
The operation requires passcode to be setup but it isn't set yet. Call setPasscode to set it.
PasscodeNotEnabled
PasscodeNotEnabled:
The operation failed because the application tried to unlock the vault with passcode authentication, but the vault is not configured to allow passcode authentication.
SecurityNotAvailable
SecurityNotAvailable:
Biometric security is unavailable due to a passcode not being set up at the system level. In order to use biometric identification on the device a system level passcode must be set up by the user.
TooManyFailedAttempts
TooManyFailedAttempts:
Too many failed authentication attempts so the vault was cleared an user will need to login again.
Unknown
Unknown:
An unknown error happened.
UserCanceledInteraction
UserCanceledInteraction:
The user cancelled the native authentication dialog.
VaultLocked
VaultLocked:
The operation failed because the vault was locked.
VaultUnavailable
VaultUnavailable:
The operation failed because the vault was unavailable. The most likely cause of this error is that a vault has not been configured.
Interfaces
DefaultSession
DefaultSession:
The interface for the Default Session. Extend this interface to make a custom session
usage:
_10MyCustomSession extends DefaultSession {_10 email: string;_10 age: number;_10 nicknames: string[];_10}
token
● token: string
username
● username: string
IdentityVault
IdentityVault:
The underlying vault API. You can gain direct access to the vault for more advanced usage by using the IdentityVaultUser.getVault method.
<Optional>
config
● config: PluginConfiguration
The current configuration of the vault will stay current as long as unsubscribe is not called.
clear
▸ clear(): Promise
<void
>
Clear all vault data including stored tokens, values, and passcodes. The vault will be empty and unlocked after this.
Returns: Promise
<void
>
getBiometricType
▸ getBiometricType(): Promise
<BiometricType>
Get the type of biometrics the device supports
Returns: Promise
<BiometricType>
the type of biometrics the device supports
getConfig
▸ getConfig(): Promise
<PluginConfiguration>
Get the current configuration of the vault
Returns: Promise
<PluginConfiguration>
the configuration
getKeys
▸ getKeys(): Promise
<string
[]>
Get all keys with stored values.
throws: VaultError - if vault is locked
Returns: Promise
<string
[]>
array with all keys
getToken
▸ getToken(): Promise
<any
>
Get any data stored in the token slot. This is equivalent to calling getValue("token").
throws: VaultError - if vault is locked
Returns: Promise
<any
>
token data
getUsername
▸ getUsername(): Promise
<string
>
Get the username associated with the vault
Returns: Promise
<string
>
the username for the vault
getValue
▸ getValue(key: string
): Promise
<any
>
Get a value stored under the given key.
throws: VaultError - if vault is locked
Parameters:
Name | Type | Description |
---|---|---|
key | string | the key where the value is stored |
Returns: Promise
<any
>
the value stored at the key
isBiometricsAvailable
▸ isBiometricsAvailable(): Promise
<boolean
>
Check whether or not biometrics is supported by the device and has been configured by the current user of the device
Returns: Promise
<boolean
>
whether or not biometrics is available
isBiometricsEnabled
▸ isBiometricsEnabled(): Promise
<boolean
>
Check whether or not biometrics is enabled on the vault
Returns: Promise
<boolean
>
whether or not biometrics is enabled
isBiometricsSupported
▸ isBiometricsSupported(): Promise
<boolean
>
Check whether or not biometrics is supported by the device
Returns: Promise
<boolean
>
whether or not biometrics is supported
isInUse
▸ isInUse(): Promise
<boolean
>
Check whether the vault has any values stored in it.
Returns: Promise
<boolean
>
whether the vault has stored values