Apple SSO指南(REST API) apple-sso-cookbook-rest-api
NOTE
此页面上的内容仅供参考。 使用此API需要来自Adobe的当前许可证。 不允许未经授权使用。
介绍 Introduction
Adobe Pass身份验证REST API可以通过我们所说的Apple SSO工作流程,为在iOS、iPadOS或tvOS上运行的客户端应用程序的最终用户支持平台单点登录(SSO)身份验证。
请注意,本文档可用作现有REST API文档的扩展,您可以找到该文档 此处.
指南 Cookbooks
为了从Apple SSO用户体验中获益,一个应用程序需要将 视频订阅者帐户 由Apple开发的框架,而关于Adobe Pass身份验证REST API通信,则必须遵循下面提供的提示顺序。
身份验证 Authentication
步骤:“是否存在有效的Adobe身份验证令牌?” Is_there_a_valid_Adobe_authentication_token
TIP
提示: 通过以下媒体实施此操作 Adobe Pass身份验证 服务。
步骤:“用户是否通过Platform SSO登录?” Is_the_user_logged_in_via_Platform_SSO
TIP
提示: 通过以下媒体实施此操作 视频订阅者帐户 框架。
TIP
专业提示: 请按照代码片段进行操作,并特别注意注释内容。
...
let videoSubscriberAccountManager: VSAccountManager = VSAccountManager();
videoSubscriberAccountManager.checkAccessStatus(options: [VSCheckAccessOption.prompt: true]) { (accessStatus, error) -> Void in
switch (accessStatus) {
// The user allows the application to access subscription information.
case VSAccountAccessStatus.granted:
// Construct the request for subscriber account information.
let vsaMetadataRequest: VSAccountMetadataRequest = VSAccountMetadataRequest();
// This is actually the SAML Issuer not the channel ID.
vsaMetadataRequest.channelIdentifier = "https://saml.sp.auth.adobe.com";
// This is the subscription account information needed at this step.
vsaMetadataRequest.includeAccountProviderIdentifier = true;
// This is the subscription account information needed at this step.
vsaMetadataRequest.includeAuthenticationExpirationDate = true;
// This is going to make the Video Subscriber Account framework to refrain from prompting the user with the providers picker at this step.
vsaMetadataRequest.isInterruptionAllowed = false;
// Submit the request for subscriber account information - accountProviderIdentifier.
videoSubscriberAccountManager.enqueue(vsaMetadataRequest) { vsaMetadata, vsaError in
if (vsaMetadata != nil && vsaMetadata!.accountProviderIdentifier != nil) {
// The vsaMetadata!.authenticationExpirationDate will contain the expiration date for current authentication session.
// The vsaMetadata!.authenticationExpirationDate should be compared against current date.
...
// The vsaMetadata!.accountProviderIdentifier will contain the provider identifier as it is known for the platform configuration.
// The vsaMetadata!.accountProviderIdentifier represents the platformMappingId in terms of Adobe Pass Authentication configuration.
...
// The application must determine the MVPD id property value based on the platformMappingId property value obtained above.
// The application must use the MVPD id further in its communication with Adobe Pass Authentication services.
...
// Continue with the "Obtain a profile request from Adobe for the selected MVPD" step.
...
// Continue with the "Forward the Adobe request to Platform SSO to obtain the profile" step.
...
} else {
// The user is not authenticated at platform level, continue with the "Fetch Adobe configuration" step.
...
}
}
// The user has not yet made a choice or does not allow the application to access subscription information.
default:
// Fallback to regular authentication workflow.
...
}
}
...
步骤:“获取Adobe配置” Fetch_Adobe_configuration
TIP
提示: 通过以下媒体实施此操作 Adobe Pass身份验证 服务。
TIP
专业提示: 请注意MVPD属性:
enablePlatformServices
, boardingStatus
, displayInPlatformPicker
, platformMappingId
, requiredMetadataFields
并特别注意其他步骤的代码片段中的注释。步骤“使用Adobe配置启动平台SSO工作流” Initiate_Platform_SSO_workflow_with_Adobe_config
TIP
提示: 通过以下媒体实施此操作 视频订阅者帐户 框架。
TIP
专业提示: 请按照代码片段进行操作,并特别注意注释内容。
...
let videoSubscriberAccountManager: VSAccountManager = VSAccountManager();
// This must be a class implementing the VSAccountManagerDelegate protocol.
let videoSubscriberAccountManagerDelegate: VideoSubscriberAccountManagerDelegate = VideoSubscriberAccountManagerDelegate();
videoSubscriberAccountManager.delegate = videoSubscriberAccountManagerDelegate;
videoSubscriberAccountManager.checkAccessStatus(options: [VSCheckAccessOption.prompt: true]) { (accessStatus, error) -> Void in
switch (accessStatus) {
// The user allows the application to access subscription information.
case VSAccountAccessStatus.granted:
// Construct the request for subscriber account information.
let vsaMetadataRequest: VSAccountMetadataRequest = VSAccountMetadataRequest();
// This is actually the SAML Issuer not the channel ID.
vsaMetadataRequest.channelIdentifier = "https://saml.sp.auth.adobe.com";
// This is the subscription account information needed at this step.
vsaMetadataRequest.includeAccountProviderIdentifier = true;
// This is the subscription account information needed at this step.
vsaMetadataRequest.includeAuthenticationExpirationDate = true;
// This is going to make the Video Subscriber Account framework to prompt the user with the providers picker at this step.
vsaMetadataRequest.isInterruptionAllowed = true;
// This can be computed from the [Adobe Pass Authentication](https://experienceleague.adobe.com/docs/pass/authentication/programmer-integration-guide/restapi/rest-api-reference/provide-mvpd-list.html?lang=zh-Hans) service response in order to filter the TV providers from the Apple picker.
vsaMetadataRequest.supportedAccountProviderIdentifiers = supportedAccountProviderIdentifiers;
// This can be computed from the [Adobe Pass Authentication](https://experienceleague.adobe.com/docs/pass/authentication/programmer-integration-guide/restapi/rest-api-reference/provide-mvpd-list.html?lang=zh-Hans) service response in order to sort the TV providers from the Apple picker.
if #available(iOS 11.0, tvOS 11, *) {
vsaMetadataRequest.featuredAccountProviderIdentifiers = featuredAccountProviderIdentifiers;
}
// Submit the request for subscriber account information - accountProviderIdentifier.
videoSubscriberAccountManager.enqueue(vsaMetadataRequest) { vsaMetadata, vsaError in
// This represents the checks for the "Is user login successful?" step.
if (vsaMetadata != nil && vsaMetadata!.accountProviderIdentifier != nil) {
// The vsaMetadata!.authenticationExpirationDate will contain the expiration date for current authentication session.
// The vsaMetadata!.authenticationExpirationDate should be compared against current date.
...
// The vsaMetadata!.accountProviderIdentifier will contain the provider identifier as it is known for the platform configuration.
// The vsaMetadata!.accountProviderIdentifier represents the platformMappingId in terms of Adobe Pass Authentication configuration.
...
// The application must determine the MVPD id property value based on the platformMappingId property value obtained above.
// The application must use the MVPD id further in its communication with Adobe Pass Authentication services.
...
// Continue with the "Obtain a profile request from Adobe for the selected MVPD" step.
...
// Continue with the "Forward the Adobe request to Platform SSO to obtain the profile" step.
...
} else {
// The user is not authenticated at platform level.
if (vsaError != nil) {
// The application can check to see if the user selected a provider which is present in Apple picker, but the provider is not onboarded in platform SSO.
if let error: NSError = (vsaError! as NSError), error.code == 1, let appleMsoId = error.userInfo["VSErrorInfoKeyUnsupportedProviderIdentifier"] as! String? {
var mvpd: Mvpd? = nil;
// The requestor.mvpds must be computed during the "Fetch Adobe configuration" step.
for provider in requestor.mvpds {
if provider.platformMappingId == appleMsoId {
mvpd = provider;
break;
}
}
if mvpd != nil {
// Continue with the "Initiate second screen authentcation workflow" step, but you can skip prompting the user with your MVPD picker and use the mvpd selection, therefore creating a better UX.
...
} else {
// Continue with the "Initiate second screen authentcation workflow" step.
...
}
} else {
// Continue with the "Initiate second screen authentcation workflow" step.
...
}
} else {
// Continue with the "Initiate second screen authentcation workflow" step.
...
}
}
}
// The user has not yet made a choice or does not allow the application to access subscription information.
default:
// Fallback to regular authentication workflow.
...
}
}
...
步骤:“用户登录是否成功?” Is_user_login_successful
TIP
专业提示: 请注意中的代码片段 “使用Adobe配置启动平台SSO工作流” 步骤。 用户登录成功,以防出现
vsaMetadata!.accountProviderIdentifier
包含有效值,并且当前日期未超过 vsaMetadata!.authenticationExpirationDate
值。步骤“从Adobe获取所选MVPD的配置文件请求” Obtain_a_profile_request_from_Adobe_for_the_selected_MVPD
TIP
提示: 通过Adobe Pass身份验证媒体实施此操作 配置文件请求 服务。
TIP
专业提示: 请注意,从视频订阅者帐户框架中获取的提供程序标识符表示
platformMappingId
在Adobe Pass身份验证配置方面。 因此,应用程序必须使用 platformMappingId
值,通过Adobe Pass身份验证 提供MVPD列表 服务。步骤:“将Adobe请求转发给Platform SSO以获取配置文件” Forward_the_Adobe_request_to_Platform_SSO_to_obtain_the_profile
TIP
提示: 通过以下媒体实施此操作 视频订阅者帐户 框架。
TIP
专业提示: 请按照代码片段进行操作,并特别注意注释内容。
...
let videoSubscriberAccountManager: VSAccountManager = VSAccountManager();
videoSubscriberAccountManager.checkAccessStatus(options: [VSCheckAccessOption.prompt: true]) { (accessStatus, error) -> Void in
switch (accessStatus) {
// The user allows the application to access subscription information.
case VSAccountAccessStatus.granted:
// Construct the request for subscriber account information.
let vsaMetadataRequest: VSAccountMetadataRequest = VSAccountMetadataRequest();
// This is actually the SAML Issuer not the channel ID.
vsaMetadataRequest.channelIdentifier = "https://saml.sp.auth.adobe.com";
// This is going to include subscription account information which should match the provider determined in a previous step.
vsaMetadataRequest.includeAccountProviderIdentifier = true;
// This is going to include subscription account information which should match the provider determined in a previous step.
vsaMetadataRequest.includeAuthenticationExpirationDate = true;
// This is going to make the Video Subscriber Account framework to refrain from prompting the user with the providers picker at this step.
vsaMetadataRequest.isInterruptionAllowed = false;
// This are the user metadata fields expected to be available on a successful login and are determined from the [Adobe Pass Authentication](https://experienceleague.adobe.com/docs/pass/authentication/programmer-integration-guide/restapi/rest-api-reference/provide-mvpd-list.html?lang=zh-Hans) service. Look for the requiredMetadataFields associated with the provider determined in a previous step.
vsaMetadataRequest.attributeNames = requiredMetadataFields;
// This is the payload from [Adobe Pass Authentication](https://experienceleague.adobe.com/docs/pass/authentication/programmer-integration-guide/restapi/rest-api-reference/retrieve-profilerequest.html?lang=zh-Hans) service.
vsaMetadataRequest.verificationToken = profileRequestPayload;
// Submit the request for subscriber account information.
videoSubscriberAccountManager.enqueue(vsaMetadataRequest) { vsaMetadata, vsaError in
if (vsaMetadata != nil && vsaMetadata!.samlAttributeQueryResponse != nil) {
var samlResponse: String? = vsaMetadata!.samlAttributeQueryResponse!;
// Remove new lines, new tabs and spaces.
samlResponse = samlResponse?.replacingOccurrences(of: "[ \\t]+", with: " ", options: String.CompareOptions.regularExpression);
samlResponse = samlResponse?.components(separatedBy: CharacterSet.newlines).joined(separator: "");
samlResponse = samlResponse?.trimmingCharacters(in: CharacterSet.whitespacesAndNewlines);
// Base64 encode.
samlResponse = samlResponse?.data(using: .utf8)?.base64EncodedString(options: []);
// URL encode. Please be aware not to double URL encode it further.
samlResponse = samlResponse?.addingPercentEncoding(withAllowedCharacters: CharacterSet.init(charactersIn: "!*'();:@&=+$,/?%#[]").inverted);
// Continue with the "Exchange the Platform SSO profile for an Adobe authentication token" step.
...
} else {
// Fallback to regular authentication workflow.
...
}
}
// The user has not yet made a choice or does not allow the application to access subscription information.
default:
// Fallback to regular authentication workflow.
...
}
}
...
步骤:“将Platform SSO配置文件交换为Adobe身份验证令牌” Exchange_the_Platform_SSO_profile_for_an_Adobe_authentication_token
TIP
提示: 通过Adobe Pass身份验证媒体实施此操作 令牌交换 服务。
TIP
专业提示: 请注意中的代码片段 “将Adobe请求转发给Platform SSO以获取配置文件” 步骤。 此
vsaMetadata!.samlAttributeQueryResponse!
表示 SAMLResponse
,需要传递给 令牌交换 并且需要字符串操作和编码(比值64 编码和 URL 之后编码)。步骤:“是否已成功生成Adobe令牌?” Is_Adobe_token_generated_successfully
TIP
提示: 通过媒介Adobe Pass身份验证实施此操作 令牌交换 成功响应,这将
204 No Content
,指示已成功创建令牌并准备好用于授权流。步骤:“启动第二个屏幕身份验证工作流” Initiate_second_screen_authentication_workflow
重要提示: “第二屏幕身份验证工作流”术语适用于AppleTV,而“第一屏幕身份验证工作流”/“常规身份验证工作流”术语更适用于iPhone和iPad。
TIP
提示: 通过Adobe Pass身份验证媒体实施此操作
注册码请求, 启动身份验证 和 REST API检索身份验证令牌 或 检查身份验证令牌 服务。
TIP
专业提示: 请按照以下步骤实施tvOS。
- 该应用程序必须 获取注册码 并在第一个设备(屏幕)上向最终用户演示。
- 应用程序必须启动 轮询以确认身份验证状态 ,注册代码后在第1台设备(屏幕)上注册。
- 另一个应用程序必须 启动身份验证 ,注册代码时显示在第2台设备(屏幕)上。
- 应用程序必须停止 轮询 在生成身份验证令牌时显示在第一个设备(屏幕)上。
TIP
专业提示: 请按照以下步骤实施iOS/iPadOS。
- 该应用程序必须 获取注册码 不应在第一台设备(屏幕)上向最终用户展示。
- 该应用程序必须 启动身份验证 ,注册码和 Wkwebview 或 SFSafariViewController 组件。
- 应用程序必须启动 轮询以了解身份验证状态 在之后的第一个设备(屏幕)上 Wkwebview 或 SFSafariViewController 组件关闭。
- 应用程序必须停止 轮询 在生成身份验证令牌时显示在第一个设备(屏幕)上。
步骤:“继续进行授权流” Proceed_with_authorization_flows
注销 Logout
此 视频订阅者帐户 框架不提供API以编程方式注销在设备系统级别登录到其电视提供商帐户的人员。 因此,要完全注销,最终用户必须明确从注销 Settings -> TV Provider
在iOS/iPadOS上,或 Settings -> Accounts -> TV Provider
在tvOS上。 用户将拥有的另一个选项是从特定应用程序设置部分(TV提供商访问)撤销访问用户订阅信息的权限。
TIP
专业提示: 请按照以下步骤实施tvOS。
TIP
专业提示: 请按照以下步骤实施iOS/iPadOS。
- 应用程序必须使用''确定是否由于通过平台SSO登录而发生了身份验证 tokenSource” 用户元数据 来自Adobe Pass身份验证服务。
- 应用程序必须指示/提示用户明确从中注销
Settings -> TV Provider
在iOS/iPadOS上 仅限 如果 "tokenSource" 值等于 "Apple". - 该应用程序必须 启动注销 来自Adobe Pass Authentication服务,使用 Wkwebview 或 SFSafariViewController 组件。 这将有助于MVPD端的会话清理。
recommendation-more-help
3f5e655c-af63-48cc-9769-2b6803cc5f4b