I have an ionic application which I'm developing and deploying on an android device. I'm using angular-auth-oidc-client for user authentication in the app. This is the configuration I have:
Note: The sts server and clientId are omitted for the sake of brevity and they are not relevant.
scope: 'openid profile tino_access',
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
responseType: 'code',
postLogoutRedirectUri: window.location.origin,
silentRenew: true,
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
logLevel: LogLevel.Warn,
postLoginRoute: window.location.origin,
useRefreshToken: true,
I know for sure everything is set up properly because when accessing my mobile app on a web page everything works fine and the authentication goes through properly.
However, when deploying on a mobile device (origin is localhost), after accessing the Keycloak login page and entering the login credentials correctly, there is a request made to the STS server which verifies the tokens. I need this to be sent out to the server, but I want my app to function on the localhost domain. If I set the redirectUrl correctly as the server, then it works but the app is no longer the local app, it is only a mirror of the webpage.
I can see this is some mechanism for storing and checking session tokens, but it's clear why it wouldn't work on a mobile device. Does anyone know of a possible solution/workaround?
Thanks
There are differences between web and mobile OAuth, summarized below:
Web UI logins use the same type of browser window on which normal views are rendered, using a HTTPS callback URL
Mobile app logins use a form of the system browser to trigger sign in, and often a Custom URL scheme is used to receive the response
Some tech stacks attempt to use the same solution for web and mobile. This might work in terms of rendering but it will not work in terms of OAuth. Instead, for a mobile app you need to follow the OAuth for Native apps guidance.
The mobile solution is usually called the AppAuth pattern. To get started with it on Android, maybe start with my Android AppAuth Sample Page.
Related
I need your suggestion on this particular problem.
I am trying to embed a web-app into flutter mobile using WebView or just say an mobile app in general. That web-app does has the authentication, only users have correct username/password can login.
However, The mobile has the authentication part as well. I dont want users to login 2 times, mobile app then web app, but in the mean time, I dont want users access web-app or mobile app without logging in.
I would like user login to the mobile app and somehow authenticate to access to the web-app as well. I am trying to make this connection secure.
Solution that i am thinking now is that: getting username and password from mobile app. Then pass it to the url of that web-app. and then the Web-app will do the rest.
Any suggestion ? Thank you.
Do NOT put the password into the URL. That has severe security issues- anyone within your company who has access to your http logs will be able to see your user's passwords.
If the web app is being brought up as part of the mobile app it should be easy. When you authenticate, you sent some token down to recognize future requests. Send that token as a header or cookie when you go to the website, and have the web app look for that header and authenticate with that token. Your web app is already doing that via cookies, so if you send the token as a cookie and your web and api servers use the same authentication tokens, you're good.
If the web app is being brought up in an external browser, then you're pretty much out of luck and they'll have to log in twice.
I have a webapp that is built with Django. It works fine for use on the web, but now I am building a Android app. I am not sure how to go about authenticating the Android app the the Django backend, securely.
This webapp has user profiles. A user can register/login/logout using the web interface. The relevant part of urls.py looks like this:
urlpatterns += patterns('',
url(r'^accounts/login/$', 'django.contrib.auth.views.login', name='login'),
url(r'^accounts/logout/$', 'django.contrib.auth.views.logout', name="logout"),
)
My understanding is that after the user successfully completes accounts/login there is some cookie deposited on the browser which is used for the rest of the connections. Is this correct?
When on an Android device, given a username and password, what is the proper or best way authenticate the user to the Django backend? Do I need to get the cookie like in the browser or is there a better way?
There's a couple of ways you could do authentication, but using the existing Django session support and the cookies it uses is probably the best way.
When you connect to a Django page with the Session Middleware enabled (which you need for login) it'll set a session cookie (generally called 'sessionid', although you can customise that). The users (not) logged in state is stored server-side in a session linked by this session id (unless you're using the cookie-based sessions but's that's an item for another post).
So your Android app can just get the login page, fish out the sessionid (and csrftoken) cookies and then make a post with the username, password, sessionid and csrftoken.
That's the easy way. There's more complex options, which mostly involve making a custom view that spits back JSON and generally starts providing an API for your mobile apps as opposed to make them pretend they're browsers, but that's somewhat more complex on the Django side.
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.
Since this issue is about three technologies I'd like to quickly introduce each of them:
node.js: javascript on the server side (consider it my webserver)
PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
facebook authentication: using everyauth to let my users login with their facebook account
The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.
The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that
the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself
Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.
Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.
How should I tackle this issue?
With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.
We used this approach to integrate a PhoneGap app with a node.js openid module
I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.
With jsOauth library, the auth token key/secret are stored for you and sent with every request.
Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.
Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!
I'm working on an app which comprises of a web component and a mobile component -
an end user can access the service directly via the web or via a mobile. I would like to have facebook based authentication for the service.
I have developed a simple facebook javascript SDK based login mechanism for the web interface. The server side determines which user is logged in via the cookies. This works fine.
From the Android side, I'd like the user to be able to log in with their facebook credentials to access services on the server side (not facebook specific services). I would like this to work by having the user present the same cookies with the request as are presented when using the javascript SDK.
Having looked at the documentation, it seems that there are more or less two options:
use the facebook Android libraries to enable the mobile app to directly access facebook
use mobile web to afford login to the services
Neither of the above is really what we want - the first is for direct facebook access from
the Android app and does not really relate to a situation in which there is a web service; the second does not integrate with the native mobile app.
I'm guessing that folks must have done this before - any pointers on how to do this?
TIA,
Seán.
You could always develop your application using PhoneGap? It'll save you a load of time and enable you to use your existing FBC code.
I have the same scenario. I have a JSON service that I would like to call from my Android app but as an authenticated user.
Think about it this way. Normally a web service would have some kind of authentication, not necessarily different for every user. So why not conceptually separate out the authentication with Facebook and the authentication with the web service.
The app controls what a user can do and see and thus controls the authentication. If the login to Facebook fails then the app denies the user access to the service.
On the web service side you could just require an api key which you issue to the app like any other api. This key initialises a session so that each device will have a separate session id but they would all use the same api key. Alternatively the email address provided from Facebook could be used as a username together with the api key to initiate a session.
Any thoughts?