We are using session based authentication and trying to migrate to JWT.
Our app has webview (inside native activity or ViewController), and react-native.
If we only had RN, we could store the tokens in AsyncStorage and be done with it, but I don't see a webview could read data from AsyncStorage .
How can I store tokens so that both webview and RN could use them?
Login process could take place both in webview or RN, but we can make it happen only in one side if it makes things simple.
Related
Current State:
I am implementing oAuth Authentication for a flutter app running android and iOS.
For iOS my Authentication process works perfectly. I want to get the user prompted for his user certificate every login. Therefore I pass the parameter prompt=login when getting the authCode.
On Android the certificate is getting cached in the browser, so the authentication is triggered without selecting a certificate again. Even when sending the prompt=login parameter.
I have used a couple of libraries.
flutter_appauth
flutter inappwebview
oauth2
The main problem is that when I use a webview the browser doesnt bring up the cert picker.
When I use e.g. custom chrome tab like in appauth there is no possibility to clear the custom tabs cache or chromes cache on logout.
When I use system browser like in oauth2 library I have also no control over the cache.
I have also tried implementing java code to access the cookiemanager to clear cache, but this also only accesses webviews.
I have experienced when I kill the browser app after logout the cache is getting deleted and I get prompted again.
Any solution on how I can clear the cache on custom chrome tabs, system browser or implement the webview that it brings up the cert picker?
We have a large site that use cookie for authentication. We're going to have a simple android application for site with little features. The application use JWT for authetication.
We want the application to use through webview to access the site`s full features. When User run the application, first authenticate is done.
Problem: I want when user route to webview from the application change from JWT to Cookie authentication. Is this possible? If you can help?
Site develop by asp.net core 2.0;
I have created an app for Android and iOS. I will now be implementing the create account / user login aspect of the app. I plan on using Amazon Web Services, specifically Amazon DynamoDB for my database. Amazon Web Services has an SDK for iOS and Android that allows you to read and write directly to the DynamoDB fairly easily.
My question is this: from a design point of view and in terms of efficiency, is it better to handle the user login by writing the logic in each app and then reading / writing to the DynamoDB through the SDK or is the better option to create a web interface where the app would do post requests to the web interface which would then communicate with the Amazon DynamoDB?
Thank you!
Always use a web server, for security. Otherwise you have to put your password to access the db in your app- and poof, there goes the security. It would be ok to login via a web service and pass a runtime authentication token down to the app, but you don't want the app to have the login info directly.
I want to access an online music library from my android application to play its music. The music is accessible on a url lets say www.test.com/music.html.
In order to get to this website though you need to login on www.test.com/index.html
In my Android App I don't want to have to login. So how can I bypass the login screen?
I have thought about a persistent cookie that comes with the app, how can I include this into the android application?
Or is there another solution like putting the login information in the post request?
Yes, cookies is right solution in case you use embedded WebView in your app to log-in. You will need to use CookieSyncManager for it, look through this tutorial.
If you perform the log-in by entering username and password to EditText and then sending it to server, then you'd better implement token-based authentication. However, you may simply save user credentials to SharedPreferences, but that's actually a bad practice.
You could give SharedPreferences a try:
http://developer.android.com/guide/topics/data/data-storage.html#pref
Since this issue is about three technologies I'd like to quickly introduce each of them:
node.js: javascript on the server side (consider it my webserver)
PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
facebook authentication: using everyauth to let my users login with their facebook account
The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.
The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that
the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself
Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.
Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.
How should I tackle this issue?
With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.
We used this approach to integrate a PhoneGap app with a node.js openid module
I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.
With jsOauth library, the auth token key/secret are stored for you and sent with every request.
Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.
Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!