I am using Django as my backend for my android app. I have been handling post request using #csrf-exempt annotation with my views as I wasn't able to deal with csrf verification while sending post request from android(VOLLEY LIBRARY).
Now, I have to use django.contrib.auth login and logout methods but sessions aren't working when I am sending post request from android.
I had tried enabling cookies with my request in android but that also didn't work(enabling cookies also did not solve the csrf verification failed issue).Also I tried taking csrf token from a GET request to django( django.middleware.csrf - get_token) and then passing that csrf token in headers(X-CSRF-TOKEN)in my post requests, that also didn't work.
Code that I used to enable cookies in android:
CookieManager manager = new CookieManager();
CookieHandler.setDefault(manager);
So,
1. I don't know how to use django scripts without using #csrf-exempt from android.
2. and how to use django login with android
Here is a generic response on using django as a backend: Is it possible to develop the back-end of a native mobile app using the python powered framework Django?
More specifically this is normally done with a JWT - json web token: http://www.django-rest-framework.org/api-guide/authentication/#django-rest-auth
I'm sure other rest/ api frameworks exist but I normally use DRF.
Here is an example with a tutorial: Authentication with android app in a django server
Related
I need to implement the hybrid code auth flow in a React Native application to authenticate with an OpenID Connect Identity Provider. Specifically, the IdP expects code id_token as the response type.
I used react-native-app-auth and the underlying OpenID AppAuth-Android libraries but they do not currently support this flow - see issues #75 and #218. They only support a single response type such as "code" or "token". Due to this, I am getting an error from the IdP saying Unauthorized Client. I am sending the proper scopes.
Steps I have taken so far:
Modify react-native-app-auth source code for Android to set response type - tried giving space separated values (code id_token), url encoded string (code%20id_token), and stringified JSON array ("['code', 'id_token']"). This did not work.
Use a webview to login - I could not extract the final tokens from the web page - they are stored in the session storage and I need to take them out into the app. The process is also a bit complex with my use-case as I need to watch multiple flows after authentication and need some parameters returned in the auth response.
As a final step, I am modifying the official Android library for OpenID Connect clients - OpenID AppAuth Android. Will try to give that as the dependency for react-native-app-auth.
How can I implement the hybrid code flow in a React Native app? Any help is highly appreciated.
I am developing Android native application integrated with IBM MobileFirst backend.
I have issue with some operations that required custom authentication with predefined realm for example ("testAuthRealm")
and when I call any operation that requires authentication and user is not authentication it is returning a response with some details:
WL version: 7.1
Anyway, I can detect from the response that the user is not authenticated
but I think this is not a good way to check authentication.
my inquiry:
is there any supported method from the MF SDK to check user authorization for realm?
is that good to check authorization from the response?
advise please
If you request a protected resource, the server response will contain the authorization status required ( based on your custom authenticator implementation). This server response would kick off the challenge handling procedure in your client application. This is by design. Refer to Custom Authentication documentation. This way you need not separately check for the authorization status yourselves and then try to login.
Is there any supported method from the MF SDK to check user authorization for realm?
You can consider one of the following APIs in the client SDK:
a) isAuthorizationRequired
b) getUserIdentity
c) getLoginName
d) getUserName
Is that good to check authorization from the response?
Challenge handling at the client will depend on the status of authorization(from the server response). Based on this status, you either handle the challenge or allow access. So, you need to check and verify the server response to complete the authentication flow.
Is it possible to use Android Account Manager using Cookie-based authentication? How (a code with a explanation would be much appreciated)?
I have seen many examples regarding authentication token, but that is not the case. I have just implemented cookie-based authentication on Python FLASK.
OBS.: I'm using Android Volley for the requests of the application.
All you need to do is to add this line in onCreate in your Application class:
CookieHandler.setDefault(new CookieManager());
this line will make your HttpUrlConnection hold cookies like browser, and since most of the http agents like Volley or okHttp are based on HttpUrlConnection they also will hold your cookies )
I have a jHipster project with Jwt Authentication but I can't get it to work outside de webapp. I'm currently developping a Android application and the authentication process get harder than I expected.
Basically I'm sending the parameters of the LoginDTO, to UserJwtController#authorize ('/api/authenticate'). At first I was getting Unauthorized, both on Android or Postman (I'm using it to test the requests).
If I change the '/api' to permitAll, I'm getting 405, Request method 'POST' not supported.
EDIT
It was a wrong typo on Android :/
It works fine for me against /api/authenticate, so either you use wrong URL (e.g. /api/authorize) or your JSON payload is wrong. The only issue you could have is with CORS. You should consider testing with curl as it is easier than PostMan for reporting here what you really do and also the curl options are already built for you in JHipster swagger page.
I'm building an native Android app with Worklight 6.0.0.1 and having trouble connecting to our production Worklight Server.
The server is fronted by a DataPower appliance that handles authentication and requires us to send a particular cookie on any call to the Worklight Server.
We tried using addGlobalHeader("Cookie", "cookie-name=cookievalue") to set this cookie, but found that using this API does not play nicely with the cookies that Worklight itself uses to manage it's session.
The cookie header is properly set for the initial request to Worklight, and Worklight responds with a challenge and sets JSESSIONID and WL_PERSISTENT_COOKIE.
Then, when the Android API answers this challenge we see 2 cookie headers being sent in the follow-up request which violates norms for http headers.
Cookie: JSESSIONID=<...>;WL_PERSISTENT_COOKIE=<...>
Cookie:
Oddly, if I go through a TCPMon proxy to inspect the traffic, I can connect successfully, but if I go directly against the DataPower address, it doesn't see the header and fails to reach Worklight.
What is the correct way to inject a cookie so my cookie goes into a single cookie header along with all of the other cookies that Worklight wants?
Add global header will add headers, it was not designed for cookies. If you need to set cookies I'd suggest trying Android's CookieStore. Create you cookie with all the relevant params (value/url/expiry etc) and add it to CookieStore
http://developer.android.com/reference/org/apache/http/client/CookieStore.html