We are developing a native android app that had its own user login mechanism. We have the backend on azure and have developed APIs through easy api and easy table. Access to these apps will happen only through the native app, and we want to authenticate that by using some sort of certificate or token based mechanism. I had a look at the azure documents, which left me confused. Any one has any suggestions or pointers?
I recommend that you can leverage token based mechanism. And you can make some modifications to let your mechanism to return JWT standard token. Because both Mobile App's SDK for server or for client, has predefined several authentication functionalities or middlewares (refer to https://azure.github.io/azure-mobile-apps-node/module-azure-mobile-apps_src_express_middleware_authenticate.html for more).
And here is a post about custom authentication on Azure Mobile Apps, which maybe can give you any help or hints.
Related
I own a WordPress based website and trying to write an Android app for it.
I already tried to check out WordPress's open source Android app, but couldn't figure it out.
I want to implement oAuth-2.0 login for the app. Does WordPress have build-in support for oAuth-2.0? How can I implement it on client and server side? Do I need to use a 3rd-party plugin, and is it safe to use plugins?
Is WordPress has build-in support for oAuth-2.0?
Yes, please refer this link: https://wordpress.org/plugins/oauth2-provider/
how can i implement it on client and server side?
For server side, please refer to: https://developer.wordpress.com/docs/oauth2/
For client side, you can use a well-known library like Retrofit to connect to your server. The link above also provided an examples what client sides should do.
do i need to use 3rd-party plugin and is it safe to use plugins?
Yes, Wordpress needs a plugin for this. Just pick a well-known plugin and you would be safe.
Your WordPress website needs an OAuth2 server plugin. This is our premium product: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
The OAuth2 server plugin provides the authentication server that is connected to the WordPress user system. It also provides the /authorize, /token and /resource endpoints, to which the client can connect and generate a token, and then use the token to access user data. The Android app will need to connect to these endpoints.
Basically, the Authorization Code grant type should be used for this purpose, because it also provides the WordPress login interface if you are not logged in and need to identify yourself. This is the most user-friendly and most popular grant type.
But it is possible that in the case of an Android app it is more beneficial to use the User Credentials grant type.
It is completely safe to use. We pay a lot of attention to security.
However, we also found serious vulnerabilities in several other OAuth plugins:
https://lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c/ (CVE-2022-2083)
https://lana.codes/lanavdb/12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc/ (CVE-2022-2133)
https://lana.codes/lanavdb/6d794d65-d44b-4099-94c5-3dd2995b218c/ (CVE-2022-34149)
I have both mobile apps (android/ios) and a website that needs to sign in using linkedin.
On the website, using OAuth is working ok, so no issues there.
The issue I'm having is related to "Sign In" using the mobile SDK, because I need to send an access token to my website server in order to identify that the user is connected and authorized via linkedin.
According to the documentation ( https://developer.linkedin.com/docs/android-sdk-auth )
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the Mobile SDK > are only useable with the Mobile SDK, and cannot be used to make server-side
REST API calls.
Similarly, access tokens that you already have stored from your users that
authenticated using a server-side REST API call will not work with the Mobile
SDK.
So I see no way of using both solutions (web and integrated) in this scenario. If I use a WebView on mobile to connect to the app and sync with my website server, the user experience is not very nice (the webview does not sync cookies, the user has to authenticate in a strange way and does not take advantage of having the LinkedIn app installed on the mobile.
Anyone knows how to solve such a scenario? Thanks!
Yes. It's ok.
Authenticating with the Mobile SDK for iOS
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only usable with the Mobile SDK, and cannot be used to
make server-side REST API calls. Similarly, access tokens that you
already have stored from your users that authenticated using a
server-side REST API call will not work with the Mobile SDK.
Presently, there is no mechanism available to exchange them. If you require tokens that can be used in both the mobile and server-side
environment, you will need to implement a traditional OAuth 2.0
solution within your iOS environment to acquire tokens that can be
leveraged in both situations.
I want:
central oauth2 server which will hold all user accounts and will provide platform for user account management
multiple services which will connect to central oauth2 server to verify user. Each service will have Web and mobile applications (iOS, Android)
I followed spring-boot-oauth tutorial and have client that connects to server for credentials using redirect. This works fine for browsers, but I wish to be able to login directly in native apps. I think using grant_type=password should solve the problem, but I can not find good description how to approach this.
Should I send token request directly to central server for refresh token, or should I proxy it through each application service?
Is there any way to check on native app if user is already logged in central server from device, or do I always need to send login/password? I'm aware that I could develop separate application to which I will redirect user for verification, but for user-experience and time-efficient reasons I would like to avoid it.
If you are thinking of native mobile apps on Android and iOS, then I would recommend looking at these libraries...
https://openid.github.io/AppAuth-iOS/
https://openid.github.io/AppAuth-Android/
These libraries allow you to use implicit or code authorization flows, avoiding the grant_type=password flow which makes it more difficult to get single sign on.
Is there a sample application which I can refer for SAML interactions on Android?
Anyone successfully ported/used OpenSAML on Android ?
I am trying to write a simple app which would (instead of browser redirection) use native APIs to carry out SAML authentication.
Also some pointers to test environment where I can test SAML clients would help.
If you need to authenticate your mobile app users against a SAML 2.0 IDP, then you would NOT build this into Android (or iOS). Best practice would be to have your mobile app use OAuthv2 and exchange a SAML Response generated by the IDP for your local SP/AS OAuth token. Essentially, the application would launch the WebView browser w/in your application to carry out the SAML Web SSO profile which would result in your AS giving your mobile app an OAuth token. It's not required to use OAuth in this type of scenario, but it will add security & standard support to your mobile application.
Ping Identity [Note: I do work for Ping] has done a ton of work to make SAML/OAuth quick and easy for SaaS Providers to implement (over 250 SaaS Providers and growing). Check out https://www.pingidentity.com/products/pingfederate/secure-mobile-access.cfm
HTH =-
Ian
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.