Hello,
I have an authentication flow where my app communicates with a backend protected by F5 client certificate validation. The client certificate is distributed via MDM and is available in the device keychain, but not accessible directly from the app.
When using ASWebAuthenticationSession (or SFSafariViewController) Safari can successfully pick up and present the certificate during authentication, so that part works fine.
However, the backend’s authenticate endpoint only supports a POST request with an Authorization header, whereas ASWebAuthenticationSession only accepts a GET URL when starting the session.
My questions are:
-
How is this type of flow typically implemented in iOS?
-
Should the backend provide a GET-based endpoint that redirects into the POST, or is there a recommended iOS pattern (e.g., an intermediate HTML page that does the POST after certificate validation)?
-
Are there Apple guidelines on handling certificate-based auth with
ASWebAuthenticationSessionwhen the API requires POST, especially for In-House distributed apps?
Any guidance or best practices would be very helpful.