ForgeRock SDKs 3.3

Limitations

This page lists the known issues and limitations of the ForgeRock SDKs.

All platforms

  • The SDKs do not support authentication chains nor modules.

  • The FRUI module is for prototyping your UI, and is not intended for production use, as-is.

  • As of version 3.0, the Identity Providers supported by the SDKs for Social Login are limited to Apple, Facebook, and Google.

Android SDK

  • Displaying CAPTCHAs or using the ForgeRock Authenticator Module in your application requires the presence of the Google Play Services.

  • The Authenticator module of the Android SDK only supports Firebase Cloud Messaging service as a Push Notification provider.

  • Social Login requires AM version 7.1 or the latest version of Identity Cloud.

  • Calling FRUser.logout() will only sign out the session from AM but not the Social Identity Provider. Every subsequent, social login attempt will automatically log in without asking for credentials.

  • Biometric authentication is only supported on Android 7.0 or newer.

  • Biometric authentication requires AM version 7.1 or the latest version of Identity Cloud.

  • Biometric authentication requires the use of Google Play Services.

  • When the biometric dialog (e.g. provide fingerprint) is dismissed, application may become unresponsive.

  • Biometric authentication does not distinguish individual biometrics (fingerprints or faces), but is limited to any registered for the device’s current user account.

  • On some devices, registered biometric credentials (WebAuthn) are reset when a new app is added to the SSO group.

  • As of version 3.0, only platform authenticators can be used for WebAuthn; roaming/USB authenticators, like Yubikey, are not currently supported.

iOS SDK

  • Data encryption with Secure Enclave is only available for iOS 10+ devices with TouchID or FaceID.

  • DeviceCollector customization is only available in Swift.

  • JailbreakDetector customization is only available in Swift.

  • HiddenValueCallback and SuspendedTextOutputCallback are not accessible in Objective-C.

  • FRAuthenticator SDK is only available in Swift.

  • Social Login requires AM version 7.1 or the latest version of Identity Cloud.

  • Calling FRUser.logout() will only sign out the session from AM but not the Social Identity Provider. Every subsequent, social login attempt will automatically log in without asking for credentials.

  • The Google Sign-In SDK is only compatible with CocoaPods (Swift Package Manager is not supported).

  • Sign In With Apple is only supported in iOS 13 and above.

  • Biometric authentication requires AM version 7.1 or the latest version of Identity Cloud.

  • Biometric authentication does not distinguish between individual biometrics (fingerprints or faces), but is limited to the collection of biometrics registered for the device’s current user account.

  • For Biometric authentication, iOS only supports the ES256 signing algorithm, this is configured in the WebAuthn Registration node.

  • For "usernameless" biometric authentication support, "limit registrations" must be disabled within the WebAuthn Registration node.

  • As of version 3.0, only the platform authenticator can be used for WebAuthn; roaming/USB authenticators, like Yubikey, are not supported.

JavaScript SDK

  • When resources are protected by IG, the SDK can only support transactional authorization if AM and IG are on the same origin.

  • FireFox doesn’t support Touch ID as a WebAuthn device on Mac therefore it limits some WebAuthn node configurations.

  • The SDK requires polyfills to function in IE 11 and Legacy Edge.

  • In WebKit for both macOS and iOS, the "Prevent Cross-site Tracking" option, which is enabled by default, can prevent the SDK from functioning when the app and AM are under different origins.

  • Collecting location information requires the user’s system preferences to allow browser access to location information.

  • IndexedDB as a token storage strategy has a known issue with Firefox Private Mode. (Use localStorage as an alternative.)

  • Social login with Apple requires the use of a form POST, so the "Redirect URL" cannot be an SPA as they are unable to handle a POST request; the use of the special AM endpoint explained in Set up social login is recommended.

  • Calling FRUser.logout() will only sign out the session from AM but not the social identity provider. Every subsequent social login attempt will automatically log in without asking for credentials.

Copyright © 2010-2022 ForgeRock, all rights reserved.