Is there a reason why the LINE SDKs do not return an authorization code to be used by a backend service? about line-sdk-ios-swift HOT 2 CLOSED

Hi,

Thanks for opening this.

About authorization code

The native LINE SDK is not only an SSO login component (LINE Login), but also an API client for using other public LINE APIs. So a main target of this project is providing a self-contained solution for most developers. Making a client authorization code exchange can help those developers who wants to use LINE APIs even when they do not own their own server. Also, since the LINE Login in LINE SDK is a "mobile-first" login SSO, it contains more client-oriented secure features, but lack of the notorious client_secret.

You can intercept the authorization code from the URL which LINE Login service returns to you in the app delegate. It should be a URL query parameter under "code" and you can even refer to the LoginProcessURLResponse. However, you still need to expose the state and the PKPE codeVerifier, then send them to your server together to exchange the final token.

About refresh token

Since it might be a bit complicated to use the authorization code on your server, another more realistic way is just leaving the token exchange to LINE SDK, and sending access token and refresh token to your server.

However, sending and storing these tokens (access token or refresh token) is considered as violating agains Apple's App Store Review Guidelines:

An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.

We before also received some rejection report on this, so we recognize it as a "mis-use" to sending LINE access token or refresh token to your server for storing purpose. This is why we marked the refreshToken deprecated and private in AccessToken type (the access token is left as public since it is necessary to be used to identify user for your server).

LINE SDK manages the refreshing automatically. If you really need the refresh token, it would be trivial to fork this repo and change the _refreshToken from private to public. But keep in mind, refreshing the token on your server would lead an un-sync state between the token stored in your app and on your server, so some racing might happen if you use LINE's API on both side.

from line-sdk-ios-swift.

Thank you for your detailed reply. We might look into the intercept route in that case.

from line-sdk-ios-swift.