I need your suggestion on this particular problem.
I am trying to embed a web-app into flutter mobile using WebView or just say an mobile app in general. That web-app does has the authentication, only users have correct username/password can login.
However, The mobile has the authentication part as well. I dont want users to login 2 times, mobile app then web app, but in the mean time, I dont want users access web-app or mobile app without logging in.
I would like user login to the mobile app and somehow authenticate to access to the web-app as well. I am trying to make this connection secure.
Solution that i am thinking now is that: getting username and password from mobile app. Then pass it to the url of that web-app. and then the Web-app will do the rest.
Any suggestion ? Thank you.
Do NOT put the password into the URL. That has severe security issues- anyone within your company who has access to your http logs will be able to see your user's passwords.
If the web app is being brought up as part of the mobile app it should be easy. When you authenticate, you sent some token down to recognize future requests. Send that token as a header or cookie when you go to the website, and have the web app look for that header and authenticate with that token. Your web app is already doing that via cookies, so if you send the token as a cookie and your web and api servers use the same authentication tokens, you're good.
If the web app is being brought up in an external browser, then you're pretty much out of luck and they'll have to log in twice.
Related
I'm building an application which consists of a mobile client (Android native app) that will connect to my rails application. I need a way for users to signin and signup to my rails app using the android app. So I installed doorkeeper and devise gems on my rails app and followed the instructions here to see how things work. As you can see in the authorization code flow page there are multiple steps such as registering the client, requesting authorization, requesting the access token.
My question is how do I perform all these steps from my android app. Any help is much appreciated. Thanks
For registration (sign up) you can create a method in the user controller that does just that. Or you can customise Devise's sign_up page to look better in a mobile view and do the registration in a webview in the app.
As for Doorkeeper, either follow the usual flow as linked by you or give it a simpler approach. What I did was to
activate the refresh token - this will allow a user to get his access token and his refresh token, token used to regenerate the access token once it expires. This way you don't retain the user's login registration on your app, just the tokens.
white label some apps in config/initializers/doorkeeper.rb by using the skip_authorization to allow auto authorisation of some particular apps. You can allow auto authorisation to all the apps but I'd recommend you just whitelist some of them:
skip_authorization do |client|
whitelisted_apps = ['app1_id', 'app2_id']
whitelisted_apps.include? client.application.uid
end
I hope this helps.
I'm developing a Rails application that use devise as the authentication solution. For web applications, users enter username and password in a form, Rails can render different pages after users signed in.
Now I'd like to use this framework to support mobile app. In this case, the mobile app needs to know whether the user enters correct username and password.
How should devise response to the mobile application, response headers or JSON inside body? Does devise support it?
More tutorials:
http://blog.joshsoftware.com/2011/12/23/designing-rails-api-using-rabl-and-devise/
http://www.strukturedkaos.com/2011/09/19/soup-to-nuts-token-authentication-for-android-using-rails-3-devise/
Make sure to enable/uncomment the following line in devise configuration:
config.token_authentication_key = :auth_token
You need token authentication. Mobile client should have a login form and access the REST API for authentication. If authentication was successful, you will get a token which you need to send with all the subsequent requests in the same session.
http://zyphdesignco.com/blog/simple-auth-token-example-with-devise
http://matteomelani.wordpress.com/2011/10/17/authentication-for-mobile-devices/
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.
Since this issue is about three technologies I'd like to quickly introduce each of them:
node.js: javascript on the server side (consider it my webserver)
PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
facebook authentication: using everyauth to let my users login with their facebook account
The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.
The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that
the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself
Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.
Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.
How should I tackle this issue?
With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.
We used this approach to integrate a PhoneGap app with a node.js openid module
I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.
With jsOauth library, the auth token key/secret are stored for you and sent with every request.
Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.
Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!
I have a C/S solution, which take Android as its client and PHP as its server.
I have my own account system.
I'm wondering whether I could provide my user to login my system with Google Account?
I saw there are web-solution for this, like this stackoverflow.com could use Google Account to directly login.
Is there a solution for C/S system?
Not without a web browser.
If the user isn't logged in to google (or any other provider), he has to authenticate with the provider first. This is done via a web browser, and you shouldn't even try doing it in any other way (for security reasons, the user should be sure that he is connected to the provider, for example by seeing the url in his browser).
However, even if the user is logged in, the provider needs to know that -- usually using a cookie. And cookies are stored within a web browser. So in theory, you could parse the browser's cookie file, and then try immediate authentication, but that won't work until you login and authorize the relying party via a web browser first.