Is there a sample application which I can refer for SAML interactions on Android?
Anyone successfully ported/used OpenSAML on Android ?
I am trying to write a simple app which would (instead of browser redirection) use native APIs to carry out SAML authentication.
Also some pointers to test environment where I can test SAML clients would help.
If you need to authenticate your mobile app users against a SAML 2.0 IDP, then you would NOT build this into Android (or iOS). Best practice would be to have your mobile app use OAuthv2 and exchange a SAML Response generated by the IDP for your local SP/AS OAuth token. Essentially, the application would launch the WebView browser w/in your application to carry out the SAML Web SSO profile which would result in your AS giving your mobile app an OAuth token. It's not required to use OAuth in this type of scenario, but it will add security & standard support to your mobile application.
Ping Identity [Note: I do work for Ping] has done a ton of work to make SAML/OAuth quick and easy for SaaS Providers to implement (over 250 SaaS Providers and growing). Check out https://www.pingidentity.com/products/pingfederate/secure-mobile-access.cfm
HTH =-
Ian
Related
I have an android native app as client and spring boot service in the backend with REST endpoints. I want to know the best possible strategy for authentication with oAuth2 (without the social login approach).
I am currently using spring oauth security & have an authorization server up and running(user signs up with email & password). I use the grant type "password" to get access tokens in the android app. However, this approach requires the android app to send the client ID & secret in the request. I read a few posts which suggest that this grant type is not ideal. I dont mind receiving the user's password, but i think storing the client secret in the app is not a good approach.
Another approach would be to use the Authorization Code grant flow, but in this case since i only have a native app & backend APIs, i dont know how to authorize the user. It doesn't seem like a seamless experience for users to see a browser page asking them to authorize the app. Which doesnt make sense also because this is no third party app.
I found a post where people suggest using Authorization Code flow with PKCE. But this apparently doesn't yet work with spring.
So, now i am left wondering how other native mobile apps, handle authentication? Do they not use access token? How best can i support authentication when dealing with a mobile app & spring backend?
Spring Security OAuth supports password and authorization_code flows without the client secret, meaning a "public client". Since you own the Authorization Server and the native app and you are okay with the native app taking credentials, it's reasonable to have your native app use a public client with the password grant type.
If you decide that your native app shouldn't take credentials, though, then PKCE is the current best practice. Using the authorization_code flow with a public client is the recommended alternative to PKCE:
In the time since the spec was originally written, the industry best practice has changed to recommend using the authorization code flow with no secret for native apps.
And this would mean, as you mentioned, jumping out to a browser.
I have both mobile apps (android/ios) and a website that needs to sign in using linkedin.
On the website, using OAuth is working ok, so no issues there.
The issue I'm having is related to "Sign In" using the mobile SDK, because I need to send an access token to my website server in order to identify that the user is connected and authorized via linkedin.
According to the documentation ( https://developer.linkedin.com/docs/android-sdk-auth )
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the Mobile SDK > are only useable with the Mobile SDK, and cannot be used to make server-side
REST API calls.
Similarly, access tokens that you already have stored from your users that
authenticated using a server-side REST API call will not work with the Mobile
SDK.
So I see no way of using both solutions (web and integrated) in this scenario. If I use a WebView on mobile to connect to the app and sync with my website server, the user experience is not very nice (the webview does not sync cookies, the user has to authenticate in a strange way and does not take advantage of having the LinkedIn app installed on the mobile.
Anyone knows how to solve such a scenario? Thanks!
Yes. It's ok.
Authenticating with the Mobile SDK for iOS
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only usable with the Mobile SDK, and cannot be used to
make server-side REST API calls. Similarly, access tokens that you
already have stored from your users that authenticated using a
server-side REST API call will not work with the Mobile SDK.
Presently, there is no mechanism available to exchange them. If you require tokens that can be used in both the mobile and server-side
environment, you will need to implement a traditional OAuth 2.0
solution within your iOS environment to acquire tokens that can be
leveraged in both situations.
I want:
central oauth2 server which will hold all user accounts and will provide platform for user account management
multiple services which will connect to central oauth2 server to verify user. Each service will have Web and mobile applications (iOS, Android)
I followed spring-boot-oauth tutorial and have client that connects to server for credentials using redirect. This works fine for browsers, but I wish to be able to login directly in native apps. I think using grant_type=password should solve the problem, but I can not find good description how to approach this.
Should I send token request directly to central server for refresh token, or should I proxy it through each application service?
Is there any way to check on native app if user is already logged in central server from device, or do I always need to send login/password? I'm aware that I could develop separate application to which I will redirect user for verification, but for user-experience and time-efficient reasons I would like to avoid it.
If you are thinking of native mobile apps on Android and iOS, then I would recommend looking at these libraries...
https://openid.github.io/AppAuth-iOS/
https://openid.github.io/AppAuth-Android/
These libraries allow you to use implicit or code authorization flows, avoiding the grant_type=password flow which makes it more difficult to get single sign on.
We are developing a native android app that had its own user login mechanism. We have the backend on azure and have developed APIs through easy api and easy table. Access to these apps will happen only through the native app, and we want to authenticate that by using some sort of certificate or token based mechanism. I had a look at the azure documents, which left me confused. Any one has any suggestions or pointers?
I recommend that you can leverage token based mechanism. And you can make some modifications to let your mechanism to return JWT standard token. Because both Mobile App's SDK for server or for client, has predefined several authentication functionalities or middlewares (refer to https://azure.github.io/azure-mobile-apps-node/module-azure-mobile-apps_src_express_middleware_authenticate.html for more).
And here is a post about custom authentication on Azure Mobile Apps, which maybe can give you any help or hints.
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.