• Stars
    star
    165
  • Rank 228,906 (Top 5 %)
  • Language
    Swift
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An authentication framework for Swift.

#Stormpath is Joining Okta We are incredibly excited to announce that Stormpath is joining forces with Okta. Please visit the Migration FAQs for a detailed look at what this means for Stormpath users.

We're available to answer all questions at [email protected].

Turnstile

Build Status codecov codebeat badge Slack Status

Turnstile is a security framework for Swift inspired by Apache Shiro. It's used to manage the currently executing user account in your application, whether iOS app or backend web application.

Overview

Turnstile is the easiest way to add authentication to your Swift apps. Currently, the focus is on a great API for backend Swift apps.

Turnstile is split into three projects:

  • Turnstile Core - provides key components for authentication and security.
  • Turnstile Crypto - tools for generating randomness, hashing, and encrypting data
  • Turnstile Web - integrations with Facebook, Google, and other helpers useful for backend web applications.

If you're a developer of an application or product and need to integrate Turnstile, read the docs for Turnstile Core. Otherwise, if you're a developer using a Turnstile integration, read the docs for Turnstile Web.

Getting Started

The easiest way to use Turnstile is with one of its prebuilt integrations with Swift web frameworks. Here are the frameworks and their statuses:

Using Turnstile

If you'd like to use Turnstile to build your own integration, it's useful to understand key concepts in Turnstile.

Subject

The Subject represents the currently operating user for your application. You'll use this to interact with Turnstile, and safely check if the current user is authenticated properly.

The Subject API in Turnstile also supports registration, however this is a convenience for basic use cases. Since different apps have different rules on registration and user managment, it's expected that you will most likely write your own registration and user management logic.

Realm

A realm connects Turnstile to your data store, and allows Turnstile to authenticate and register accounts. Included with Turnstile is a MemoryRealm, as well as a WebMemoryRealm which can handle username/password pairs, as well as Facebook and Google login.

The MemoryRealms store information in memory, and will be wiped when the application is restarted.

To write your own Realm, you'll need to implement the Realm protocol, which is defined as:

public protocol Realm {
  func authenticate(credentials: Credentials) throws -> Account
  func register(credentials: Credentials) throws -> Account
}

Turnstile provides Credentials objects for common use cases, like UsernamePassword, APIKey, and AccessToken. Feel free to define a custom type as well.

When Turnstile calls the authenticate or register functions, your Realm should check the Credential type and make sure that it's a credential type you support. If not, it should throw UnsupportedCredentialsError().

Afterwards, your Realm should check if the credentials are valid. If not, it should throw IncorrectCredentialsError().

If the credentials are correct, you should then authenticate the user, and return the account object. The account protocol is simple:

public protocol Account {
    var uniqueID: String { get }
}

And voila! You've created your first Realm!

SessionManager

SessionManager is a Turnstile component that manages sessions and persistience for your authentication system. Included with Turnstile is a MemorySessionmanager, which can persist sessions in memory.

If you're building your own, you'll need to implement the SessionManager protocol. This is defined as:

public protocol SessionManager {
    /// Creates a session for a given Account object and returns the identifier.
    func createSession(account: Account) -> String
    
    /// Gets the account ID for the current session identifier.
    func restoreAccount(fromSessionID identifier: String) throws -> Account

    /// Destroys the session for a session identifier.
    func destroySession(identifier: String)
}

When an account is authenticated, and is asks to use the session manager to persist its data, Turnstile calls createSession(account:) and expects the Session Manager to return a SessionID it can use to restore the account. While you can use whatever you want as a Session ID, we recommend using TurnstileCrypto's Random.secureToken method to generate a random string with 128 bits of entropy.

When a user comes in with the SessionID, Turnstile calls restoreAccount(fromSessionID:) and expects the session manager to return the associated account. Note that this can be different from the account in the Realm, since you might not want to make a database call on every request. If the session does not exist, the Session Manager should throw InvalidSessionError()

When the user logs out, destroySession(identifier:) should delete the session from the session store.

Turnstile Web

Turnstile Web provides a number of helpers to make authentication for websites easier. TurnstileWeb includes plugins for external login providers, like Facebook, Google, and Digits.

OAuth2: Authenticating with Facebook or Google

The Facebook and Google Login flows look like the following:

  1. Your web application redirects the user to the Facebook / Google login page, and saves a "state" to prevent a malicious attacker from hijacking the login session.
  2. The user logs in.
  3. Facebook / Google redirects the user back to your application.
  4. The application validates the Facebook / Google token as well as the state, and logs the user in.

Create a Facebook Application

To get started, you first need to register an application with Facebook. After registering your app, go into your app dashboard's settings page. Add the Facebook Login product, and save the changes.

In the Valid OAuth redirect URIs box, type in a URL you'll use for step 3 in the OAuth process. (eg, http://localhost:8080/login/facebook/consumer)

Create a Google Application

To get started, you first need to register an application with Google. Click "Enable and Manage APIs", and then the credentials tab. Create an OAuth Client ID for "Web".

Add a URL you'll use for step 3 in the OAuth process to the Authorized redirect URIs list. (eg, http://localhost:8080/login/google/consumer)

Initiating the Login Redirect

TurnstileWeb has Facebook and Google objects, which will allow a you to set up your configured application and log users in. To initialize them, use the client ID and secret (sometimes called App ID) from your Facebook or Google developer console:

let facebook = Facebook(clientID: "clientID", clientSecret: "clientSecret")
let google = Google(clientID: "clientID", clientSecret: "clientSecret")

Then, generate a state (you can use Random.secureToken to generate a random string), save it (we recommend setting a cookie on your user's browser), and redirect the user:

// Redirect the user to this URL using your web framework:
facebook.getLoginLink(redirectURL: "http://localhost:8080/login/google/consumer", state: state)

Consuming the Login Response

Once the user is redirected back to your application, you can now verify that they've properly authenticated using the state from the earlier step, and the full URL that the user has been redirected to:

let credentials = try facebook.authenticate(authorizationCodeCallbackURL: url, state: state) as! FacebookAccount
let credentials = try google.authenticate(authorizationCodeCallbackURL: url, state: state) as! GoogleAccount

These can throw the following errors:

  • InvalidAuthorizationCodeError if the Authorization Code could not be validated
  • APIConnectionError if we cannot connect to the OAuth server
  • InvalidAPIResponse if the server does not respond in a way we expect
  • OAuth2Error if the OAuth server calls back with an error

If successful, it will return a FacebookAccount or GoogleAccount. These implement the Credentials protocol, so then can be passed back into your application's Realm for further validation.

OAuthEcho: Authenticating with Twitter or Digits

The Digits Login flows look like the following:

  1. Your application prompts for login either with Twitter or Digits
  2. The user selects one and logs in.
  3. Digits generates two special headers:
  • X-Auth-Service-Provider the endpoint where the user needs to be authenticated through
  • X-Verify-Credentials-Authorization the OAuth token
  1. The application validates the information in the generated headers
  2. The application makes a GET request to the URL in the X-Auth-Service-Provider header with the X-Verify-Credentials-Authorization header added as the Authorization header in this request.
  3. The response is validated to authorize the user and logs them in

Create a Digits Application

The easiest way to setup your app with Digits is to use the Fabric app. After you go through the setup you will then be able to access the consumerKey and consumerSecret in the Fabric web interface.

Example implementation

let digits = Digits(consumerKey: "consumerKeyGoesHere")
guard
    let urlString = request.headers["X-Auth-Service-Provider"],
    let url = URL(string: urlString),
    let authHeader = request.headers["X-Verify-Credentials-Authorization"],
    let oauthParams = OAuthParameters(header: authHeader)
else {
    throw Abort.custom(status: .unauthorized, message: "Bad Digits headers")
}

let credentials: Credentials? = OAuthEcho(authServiceProvider: url, oauthParameters: oauthParams)
let account = try digits.authenticate(credentials: credentials!) as! DigitsAccount

For an example of Digits in action using Vapor checkout this app

TurnstileCrypto

Turnstile Crypto has tools to help you build authentication in your apps. Specifically, it can help you use BCrypt hashing in your app, as well as generate secure random numbers. Documentation is in the files themselves.

Tests

Tests are powered by XCTest. To successfully perform the Facebook Login tests, you must have the following environment variables set:

Contributing

We're always open to contributions! Feel free to join the Stormpath slack channel to discuss how you can contribute!

Stormpath

Turnstile is built by Stormpath, an API service for authentication, authorization, and user management. If you're building a website, API, or app, and need to build authentication and user management, consider using Stormpath for your needs. We're always happy to help!

More Repositories

1

express-stormpath

Build simple, secure web applications with Stormpath and Express!
JavaScript
324
star
2

jwt-inspector

JWT Inspector & Debugger
JavaScript
277
star
3

stormpath-sdk-java

Official Java SDK for the Stormpath User Management REST API
Java
221
star
4

spring-mvc-rest-exhandler

Spring MVC ReST Exception Handler
Java
180
star
5

stormpath-sdk-angularjs

User Management for AngularJS (1.x) applications
JavaScript
164
star
6

stormpath-flask

Build simple, secure web applications with Stormpath and Flask!
Python
156
star
7

stormpath-sdk-react

User Management and Authentication for React
JavaScript
149
star
8

stormpath-express-react-example

Fullstack example application, using React, Express.js, and Stormpath
JavaScript
107
star
9

stormpath-sdk-node

Official Node.js SDK for the Stormpath User Management REST API
JavaScript
92
star
10

todos-jersey

A sample REST+JSON application using JAX-RS/Jersey
Java
81
star
11

stormpath-sdk-php

PHP SDK for the Stormpath User Management and Authentication REST+JSON API
PHP
72
star
12

stormpath-sdk-dotnet

The Official Stormpath SDK for C# and Visual Basic. Stormpath enables developers to build user authentication, user management, and security workflows quickly into their apps.
C#
52
star
13

Turnstile-Vapor-Example

A demo of Vapor Authentication powered by Turnstile
Swift
46
star
14

JavaRoadStorm2016

Java
45
star
15

stormpath-spring-boot-react-example

React App with Spring Boot and Stormpath
Java
45
star
16

stormpath-passport-express-sample

A simple Stormpath Express sample app.
HTML
43
star
17

stormpath-sdk-python

The official Stormpath Python library!
Python
38
star
18

stormpath-django

Django plugin for Stormpath
Python
38
star
19

stormpath-flask-sample

A simple sample application which makes use of the Flask-Stormpath library.
HTML
37
star
20

stormpath-rails

Ruby on Rails support for Stormpath
Ruby
35
star
21

passport-stormpath

Passport.js plugin for the Stormpath User Management Service
JavaScript
35
star
22

stormpath-shiro

Apache Shiro plugin for Stormpath
Java
34
star
23

Turnstile-Perfect

Authentication for the Perfect Web Framework using Turnstile
Swift
33
star
24

stormpath-spring-boot-jpa-example

Java
30
star
25

stormpath-laravel

Build simple, secure web applications with Stormpath and Laravel
PHP
29
star
26

stormpath-express-mobile-notes-example

The backend for the Stormpath Notes iOS and Android examples. Built with express-stormpath.
JavaScript
28
star
27

spring-boot-spring-security-tutorial

A tutorial for writing a webapp using the Stormpath Spring Boot + Spring Security integration
HTML
28
star
28

stormpath-cli

The official Stormpath command line client.
Python
27
star
29

stormpath-sdk-ios

iOS SDK for Stormpath
Swift
26
star
30

stormpath-nginx

A Stormpath integration written in Lua for the nginx web server.
Perl
24
star
31

stormpath-sdk-ruby

Ruby SDK for the Stormpath User Management and Authentication REST+JSON API
Ruby
24
star
32

stormpath-sdk-express

[Deprecated] Stormpath SDK for Node.js Express applications.
JavaScript
23
star
33

stormpath-restify

JavaScript
19
star
34

stormpath-react-native-example

React Native including Login and Authentication with Stormpath
JavaScript
19
star
35

roadstorm-jwt-microservices-tutorial

Securing Spring Boot Microservices using JWTs and the JJWT library
Java
18
star
36

samza-spring-boot-starter

Run Samza as a Spring Boot application
Java
18
star
37

stormpath-sdk-android

Android library for Stormpath
HTML
18
star
38

stormpath-aspnetcore

Build simple, secure web applications with Stormpath and ASP.NET Core
C#
18
star
39

stormpath.js

Stormpath JavaScript support for browser clients
JavaScript
17
star
40

idsite-src

Project source for Stormpath's default production ID Site
JavaScript
15
star
41

stormpath-scala

14
star
42

express-stormpath-angular-sample-project

Sample fullstack application, using Angular.js, Express.js, and Stormpath
HTML
14
star
43

stormpath-documentation

The Stormpath Product Guides
JavaScript
12
star
44

stormpath-ios-notes-example

Stormpath Notes, an example app that lets you save notes to a REST API powered by Stormpath
Swift
12
star
45

stormpath-aspnetcore-example

Example web application using Stormpath and ASP.NET Core
C#
12
star
46

stormpath-framework-spec

Language-agnostic API specification for Stormpath Framework Integrations
12
star
47

stormpath-angularjs-spring-boot-example

AngularJS UI with Gulp and Browsersync. Backend is CORS-enabled with Spring Boot + Stormpath.
JavaScript
11
star
48

stormpath.github.io

Stormpath public documentation. This repo serves built assets, please no PRs here
HTML
11
star
49

jaxrs-spring-blog-example

Java
11
star
50

stormpath-spring-boot-ionic-example

Spring Boot, Ionic, and Stormpath 🍻
TypeScript
11
star
51

stormpath-framework-tck

HTTP integration tests that ensure a Stormpath web framework integration implements the Stormpath Framework Specification
Groovy
11
star
52

stormpath-lumen

Build simple, secure web applications with Stormpath and Lumen
PHP
10
star
53

loopback-stormpath

User authentication for Loopback made simple.
JavaScript
10
star
54

stormpath-spring-boot-mfa-example

Java
10
star
55

stormpath-spring-samples

Stormpath example applications based on the Spring Framework
Java
10
star
56

stormpath-spa-dev-server

Stormpath development server that provides your SPA app with a Stormpath integrated back-end.
JavaScript
10
star
57

express-stormpath-sample-project

A sample Express-Stormpath project that showcases how to store profile data in customData.
HTML
10
star
58

stormpath-shiro-web-sample

Fork of the Apache Shiro Web sample application that uses Stormpath for all Identity Management
Java
9
star
59

jsonwebtoken.io

Build assets for https://www.jsonwebtoken.io
JavaScript
9
star
60

stormpath-spring-security

Spring Security plugin for Stormpath
9
star
61

stormpath-jersey-sample

Java
9
star
62

stormpath-spring-boot-angular-pwa-example

Example app that shows Angular as a PWA talking to Spring Boot and Stormpath
TypeScript
9
star
63

stormpath-express-api-auth-sample

HTML
7
star
64

spring-boot-idsite-sso-demo

Spring Boot ID Site SSO Demo
HTML
7
star
65

shiro-hazelcast-web-sample

Sample app showing Shiro and Hazelcast session clustering
7
star
66

stormpath-android-notes-example

Integrating Stormpath into a mobile app
Java
7
star
67

stormpath-sdk-angular

Angular Components for Stormpath
TypeScript
7
star
68

stormpath-migrate

Migrate a Stormpath tenant from one place to another.
Python
7
star
69

generator-jhipster-stormpath

JHipster module to integrate Stormpath
Java
7
star
70

stormpath-spring-boot-war-example

Java
6
star
71

stormpath-default-spring-boot-starter-dirt-simple-sample

Java
6
star
72

stormpath-widget

Add beautiful login, registration, and multi-factor authentication screens to your app in only a few lines of code
JavaScript
6
star
73

roadstorm-jwt-csrf-tutorial

Java
6
star
74

stormpath-enrich

Enrich your Stormpath User accounts, instantly.
JavaScript
6
star
75

stormpath-spring-boot-angular-example

Spring Boot + Stormpath backend with an Angular rich client front-end.
HTML
6
star
76

stormpath-ios-example

Objective-C
6
star
77

stormpath-mod-authnz-external

Using Stormpath to secure the Apache web server
Shell
5
star
78

stormpath-blog-spring-primefaces-example

Java
5
star
79

stormpath-default-spring-boot-token-management-example

HTML
4
star
80

stormpath-wordpress

The official WordPress plugin for Stormpath
PHP
4
star
81

stormpath-nginx-module

This is a deprecated module. Please see: https://github.com/stormpath/stormpath-nginx
C
4
star
82

stormpath-spring-boot-invite-example

Java
4
star
83

idsite

Stormpath default production ID Site application (angular app, compiled/minified)
HTML
4
star
84

stormpath-sdk-go

Stormpath bindings for Go.
Go
4
star
85

unified-identity-demo

A simple unified user identity demo app, built with Stormpath and OAuth.io.
HTML
4
star
86

stormpath-express-social-unification-example

An example Express.js website secured with Stormpath that unifies social login accounts.
JavaScript
4
star
87

stormpath-sphinx-theme

This holds our 'official' Sphinx theme that all our docs repos can use =)
HTML
4
star
88

stormpath-django-sample

Example application demonstrating how to use the Django plugin for Stormpath
Python
4
star
89

stormpath-angular2-express-example

Angular 2 UI with TypeScript and Angular CLI. Backend is Express.
TypeScript
4
star
90

stormpath-aspnetcore-stripe-twilio-angular-example

A sample ASP.NET Core + AngularJS API service with Stormpath, Stripe, and Twilio
C#
4
star
91

stormpath-dotnet-owin-middleware

OWIN middleware for Stormpath and .NET
C#
4
star
92

shiro-jaxrs-example

Apache Shiro JAX-RS Example
Java
3
star
93

Turnstile-Vapor

DEPRECATED - Vapor has Turnstile directly integrated into its framework.
Swift
3
star
94

loopback-connector-stormpath

A Stormpath User backend for Loopback.
JavaScript
3
star
95

stormpath-play-sample

3
star
96

stormpath-aspnetcore-stripe-example

Build a secure web application using Stormpath, Stripe, and ASP.NET Core
C#
3
star
97

stormpath-intercom

Stormpath + Intercom sync
JavaScript
3
star
98

stormpath-export

Easily export your Stormpath user data.
Python
3
star
99

stormpath-csharp-sample

Sample application to use Stormpath from C#.
C#
3
star
100

stormpath-client-api-angular-example

Angular + Stormpath with Client API Example
TypeScript
3
star