Open Radar

 
Area:
Safari Services

Summary:
We are implementing OpenID Connect as an authentication mechanism in our Vigilo Optimal app.

Steps to Reproduce:
1. Download the app from the App Store. Currently in the version 1.0.2
2. Press the login button
3. The app shows Safari by using URL Schemes (An instance of SFSafariViewController) so that the user can enter his username and password.
4. Use this credentials:  Username = XXXX;  password = XXXX
5. The app validate the user credentials and then gets a token (according to the OpenID Connect standard) 
6. The app use this new token to request the list of schools (tenants) available for that specific user.  The list is presented to the user so he can select one.
7. Select Sandkassen
8. The app use the id of the selected school (tenant) to request a new token. The app creates a new instance of SFSafariViewController to request this new token.
9. If everything is Ok, the app calls the Vigilo API to get additional information necessary to use the app features.

In step 3, the app sends prompt = login as part of the parameters requested by OpenID Connect.
In step 8, the app stops sending the prompt parameter.  However, when OpenID Connect detects there is no prompt parameter then it use the value login as a default value for the missing prompt parameter.

So, what is the purpose of the prompt parameter and what values ​​can it have ?
According to the official documentation can be 4 values: none, login, consent, select_account.

Expected Results:
Why the behavior in iOS9 is different than the behavior with iOS 10?

DESIRED BEHAVIOR
The behavior with iOS 9 looks like the right one. We want the behavior with iOS 10 to be exactly like the behavior with iOS 9.

OUR THOUGHS
We think that perhaps the Safari instance (SFSafariViewController) does something in iOS 9 that does not do in iOS 10.  Perhaps, for some reason, in iOS 10 the authentication of the user is forgotten.

We dont know what is the cause of this behavior in iOS 10 so we need some help.  May be we are doing something wrong.

Any help from you will be very appreciated.

Actual Results:
OUR PROBLEM.
By now we have a problem with the described process flow.

We can send two possible values in step 8:
- no prompt parameter
- prompt = none

iOS 9.  OK !
Everything is ok with iOS 9.  We can send no prompt or we can send prompt = none and all is ok.  Safari is launched only to get the new token.  This is done automatically and very quickly, so no problem here.

iOS 10.  PROBLEM!
We get two different results depending on the value sent through the prompt parameter:
- no prompt parameter: it seems OpenID use a default prompt = login in this case because it shows the user authentication interface again.
- prompt = none: Error.  A documented error ir retorned and it is:
http://openid.net/specs/openid-connect-core-1_0.html

Version:
iOS 9.3.2 [13F69] and iOS 10.1.1 [14B100]

Configuration:
 iPhone 6S. Wifi and LTE Signal.