# browserid-ios

**Repository Path**: mirrors_mozilla/browserid-ios

## Basic Information

- **Project Name**: browserid-ios
- **Description**: INACTIVE - http://mzl.la/ghe-archive - an iOS SDK for BrowserID
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-08-22
- **Last Updated**: 2026-03-21

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# THIS REPOSITORY IS DEPRECATED!

Development has moved to the [mozilla/persona-ios](https://github.com/mozilla/persona-ios) repository instead.

---

# OLD INFORMATION BELOW:

>_Please note that this code/project is work in progress. It currently works good enough for accounts that just go through persona.org but it has problems when alternative Identity Providers are in play._
>_At this point it is not recommended to use this code, except to get an idea of what BrowserID will look like._

## Introduction

This project contains sources to integrate BrowserID in an iOS application.

## Theory of Operation

### In a fully native application

First, implement the BrowserIDViewControllerDelegate methods:

```
// Called when the users cancelled the BrowserID process by hitting the Cancel button

- (void) browserIDViewControllerDidCancel: (BrowserIDViewController*) browserIDViewController
{
    [browserIDViewController dismissModalViewControllerAnimated: YES];
}

// Called when the user successfully went through the BrowserID dialog. The assertion
// should be verified in your server. Do not call the BrowserID hosted verifier from your application
// as that will allow users to spoof a login.

- (void) browserIDViewController: (BrowserIDViewController*) browserIDViewController 
    didSucceedWithAssertion: (NSString*) assertion;
{
    [browserIDViewController dismissModalViewControllerAnimated: YES];
    // Pass the assertion to your server to verify it
}
```

Then start the BrowserID process by creating a BrowserIDViewController and displaying it.

```
- (void) startBrowserIDWithOrigin: (NSString*) origin
{
    BrowserIDViewController* browserIDViewController = [BrowserIDViewController new];
    if (browserIDViewController != nil)
    {
        browserIDViewController.origin = origin;
        browserIDViewController.delegate = self;
        
        UINavigationController* navigationController = [[UINavigationController alloc]
            initWithRootViewController: browserIDViewController];
        if (navigationController != nil)
        {
            if ([[UIDevice currentDevice] userInterfaceIdiom] == UIUserInterfaceIdiomPhone) {
                [self presentModalViewController: navigationController animated: YES];
            } else {
                navigationController.modalPresentationStyle = UIModalPresentationFullScreen;
                [self presentModalViewController: navigationController animated: YES];
            }
        }
    }
}
```
You can also let the BrowserIDViewController call your verifier. Simply set the `verifier` property to the location of your own verifier.

```
    BrowserIDViewController* browserIDViewController = [BrowserIDViewController new];
    if (browserIDViewController != nil)
    {
        browserIDViewController.origin = origin;
        browserIDViewController.delegate = self;
        browserIDViewController.verifier = [NSURL URLWithString: @"https://my.app/verify"];
    }
```

Then instead of the `browserIDViewController:didSucceedWithAssertion:` delegate method, you implement the `browserIDViewController:didSucceedVerificationWithReceipt:` and `browserIDViewController:didFailVerificationWithError` methods.

The `BrowserIDViewController` will call the verifier endpoint with a `POST` method that has the assertion in the the request body. The verify method is expected to return a JSON structure. The parsed JSON will be given to your in the `browserIDViewController:didSucceedVerificationWithReceipt:` delegate method.

The verify method on your server is also a good place to log the user in. For example by setting a cookie or by generating a session id that you pass back.

Here is a very simple example that is written using the Python Bottle web framework:

```
#
# Called by the native application when it wants to verify the BrowserID token. Will
# return 200 and the user's email address in the body if the verification is succesfull,
# 500 if the request failed or 401 Unauthorized if the verification fails.
#

@route('/verify', method='POST')
def verify():
    data = { 'assertion': request.body.read(), 'audience': "http://localhost:8080"}
    post_response = requests.post('https://browserid.org/verify', data = data, timeout = 5)
    if post_response.status_code != 200:
        abort(500, "BrowserID Error")
    else:
        receipt = json.loads(post_response.content)
        if receipt['status'] == 'okay':
            session_id = create_session(receipt['email'])
            response.set_cookie("browserid_demo_session_id", session_id, max_age = 3600)
        return post_response.content
```

### In a native application that wraps a UIWebView

This is for the case where you are working on a web application that is presented in a `UIWebView` in a native iOS application.

Unfortunately it is not possible to directly use BrowserID from a `UIWebView` because the `UIWebView` has some limitation like for example not being able to deal with popups or inter-webview communication.

Fortunately it is not very difficult to use the `BrowserIDViewController` from a `UIWebView`. What we need to do is bridge the `UIWebView` with native code so that we can present the `BrowserIDViewController` from the native side of the app.

Here is a `UIWebView` delegate method that intercepts a custom `browserid-origin://getVerifiedEmail` URL which will then start the BrowserID process.

```
- (BOOL) webViewShouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType
{
    NSURL* url = [request URL];
    if ([[url scheme] isEqualToString: @"browserid-origin"])
    {
        if ([[url host] isEqualToString: @"getVerifiedEmail"])
        {
            [self startBrowserIDWithOrigin: [[url query] substringFromIndex: [@"data=" length]]];
            return NO;
        }
    }
    return YES;
}
```

You will need to implement your own BrowserID 'shim':

```
<script type="text/javascript">
    navigator.id = {};

    navigator.id._callbackToCocoa = function(name, value) {
        window.location = "browserid-origin://" + name + "/callback?data=" + value;
    };

    navigator.id.getVerifiedEmail = function(callback) {
        navigator.id.callback = callback;
        navigator.id._callbackToCocoa("getVerifiedEmail", document.location.origin);
    };
  </script>
```

Then you can call BrowserID in the usual way:

```
// Click handler for the BrowserID Login button
$(".browserid-login").click(function(e){
    navigator.id.getVerifiedEmail(function(assertion) {
		if (assertion) {
			// Call our verifier to make sure this is a valid login
			$.ajax({
                type: "POST",
				url: "/verify",
				data: assertion,
				dataType: "text",
				success: function(data, status, xhr) {
                    // We assume our /verify method returns JSON like { success: true, email: "you@domain" }
					if (data.success) {
						// The verification passed and the user is logged in.
                        alert("Welcome, " + data.email);
					} else {
						// The verification failed
					}
				},
				error: function(xhr, status, error) {
					// Error while verifying
				}
			});
		}
	});
});
```

If your application allows it you can simply redirect away from the login page. You can also call back to the native side to inform it that the BrowserID login and verification were successfull.