We have a large site that use cookie for authentication. We're going to have a simple android application for site with little features. The application use JWT for authetication.
We want the application to use through webview to access the site`s full features. When User run the application, first authenticate is done.
Problem: I want when user route to webview from the application change from JWT to Cookie authentication. Is this possible? If you can help?
Site develop by asp.net core 2.0;
Related
I need your suggestion on this particular problem.
I am trying to embed a web-app into flutter mobile using WebView or just say an mobile app in general. That web-app does has the authentication, only users have correct username/password can login.
However, The mobile has the authentication part as well. I dont want users to login 2 times, mobile app then web app, but in the mean time, I dont want users access web-app or mobile app without logging in.
I would like user login to the mobile app and somehow authenticate to access to the web-app as well. I am trying to make this connection secure.
Solution that i am thinking now is that: getting username and password from mobile app. Then pass it to the url of that web-app. and then the Web-app will do the rest.
Any suggestion ? Thank you.
Do NOT put the password into the URL. That has severe security issues- anyone within your company who has access to your http logs will be able to see your user's passwords.
If the web app is being brought up as part of the mobile app it should be easy. When you authenticate, you sent some token down to recognize future requests. Send that token as a header or cookie when you go to the website, and have the web app look for that header and authenticate with that token. Your web app is already doing that via cookies, so if you send the token as a cookie and your web and api servers use the same authentication tokens, you're good.
If the web app is being brought up in an external browser, then you're pretty much out of luck and they'll have to log in twice.
We are having two application one is deployed in web and secured using msal now we have made another mobile app and we want to access that web application in android mobile app. After successfully authenticating android mobile app i launch web application. It again ask for sign in.
I tried to pass the MSAL Access token in header to webview where website url is loading but nothing changed it again requested for sign in.
Is there a way i can pass MSAL android access token to Web application and access it without again sign in request?
App is in development
Smartphone (please complete the following information):
Pixel
Android 11
-Chrome
2.0+
Stacktrace
No Stack trace.
To Reproduce
Login in mobile app. Open any web app which is msal secured in webview. Pass the access token. even after being part of sso that webapp is asking again sign in
I am using ASP.NET WEB API 2.2 framework for my service layer. Individual accounts and external Facebook login features are enabled. And i try to use this restful service from my Android native application.
My first question is how can i use current authenticated facebook account at mobile device for my login mechanism. How can i get current logged in Facebook user and his/her datas like profile picture, finally send these datas to the restful service.
Second one is: if user is not authenticated in Facebook at his/her mobile device, should i redirect to Facebook login page. If yes, how can manage this workflow processes(open facebook user enters username and password, after logged in redirecting to my own native application, etc.).
In terms of service later(or web browser cookie authentication) there is no problem for Facebook authentication. However, there is lack of information, tutorials for Android Native Application login through Facebook.
Using Facebook Authentication in Android can be tackled by importing the Facebook SDK in our Android Project. After completing this import process, Facebook SDK now can supply access token.
However, there is not much enough tutorial, how can we use this Facebook access token for getting Owin bearer token from our ASP.NET WEB API 2.2 system.
In ASP.NET WEB API 2.2 template's apiaccountcontroller class there is lots of methods, how can we use them properly?
Is there a sample application which I can refer for SAML interactions on Android?
Anyone successfully ported/used OpenSAML on Android ?
I am trying to write a simple app which would (instead of browser redirection) use native APIs to carry out SAML authentication.
Also some pointers to test environment where I can test SAML clients would help.
If you need to authenticate your mobile app users against a SAML 2.0 IDP, then you would NOT build this into Android (or iOS). Best practice would be to have your mobile app use OAuthv2 and exchange a SAML Response generated by the IDP for your local SP/AS OAuth token. Essentially, the application would launch the WebView browser w/in your application to carry out the SAML Web SSO profile which would result in your AS giving your mobile app an OAuth token. It's not required to use OAuth in this type of scenario, but it will add security & standard support to your mobile application.
Ping Identity [Note: I do work for Ping] has done a ton of work to make SAML/OAuth quick and easy for SaaS Providers to implement (over 250 SaaS Providers and growing). Check out https://www.pingidentity.com/products/pingfederate/secure-mobile-access.cfm
HTH =-
Ian
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.