I have a MVC application that I would like to port at least a small part of it to a mobile app (android first). My first objective was to try to figure out how to authenticate the users.
It seems that forms based authentication uses cookies and that is not usable by mobile apps? Definitive confirmation would be appreciated.
But it seemed that you could do some form of authentication using a WCF service to create a token. Now I found a lot of sites that discussed how to create and secure the service end point but none really discussed the token generation.
Then quite by accident I stumbled upon WIF and the usersecuritytoken, which seems to what I am looking to accomplish.
So if some could please confirm this is where I need to be looking so I can actually get back to coding rather than reading I would appreciate it.
The way I see this working is:
Secure WCF service.
Using the System.IdentityModel it generates a token for a valid user and passes it back to the mobile app.
Then the app passes the token along anytime a service requiring privilege is called. For example updating the user's profile.
Is that how it is suppose to work? If not could you please point me to an example of how it is suppose to work.
One other question, looking at the WIF site it seems to provide a lot of token types, what is the preferred type for android and iOS?
UPDATE As it was pointed out it would be helpful if I provided more context.
The original website is a MVC3 web app.
I am attempting to write an app for some of the backend administration features using mono touch.
WCF seems to be a bad solution for cross platform and a package called ServiceStack is what I am now leaning towards for my web services. ServiceStack has its own authentication module but it does not interface with the .net membershipprovider which is an issue since the web app was designed with the membership provider.
I have to be overthinking this. It can't be this complicated to have an android or iphone app securely authenticate to a .net membership provider through some form of web service.
Thank you in advance,
Chris
Related
Please forgive my (perhaps naive) question, I am still a beginner!
I have a website on asp.net core that is essentially a CRUD website. There are some Razor pages and some controllers. When the user is logged in, they can create and update the data they own (through javascript and said controllers).
Login is organised via Cognito's built-in UI. I redirect the user to it with the [Authorize] attribute on certain controller actions. The token (I think this is what it's called?) coming from Cognito is automatically stored in the browser cookie and is passed between the browser and the backend (controllers and Razor pages). In the backend controllers and Razor pages, I have very convenient methods like User.IsAuthenticated(), and can get claims and fetch cognito:username and similar fields.
The website is working well enough.
I am now working on native mobile apps (Android and iOS), and I am wondering how to deal with authorisation in them as well. I want the user to have the same experience in the mobile app as on the website: they would log into the mobile app and see and edit the data they created earlier on the website, and vice versa. I'm not sure how to implement this correctly. I see several options:
Option 1. Use the AWS amplify framework in the apps. I am sure it will work nicely; but how will I then pass the token to my backend controllers? Asp.net core needs it to build this User object, I understand. I think asp.net core stores it in the cookie appropriately named .AspNetCore.Cookies, but I'm not sure as to its format and whether it'll stay stable in the next releases?..
I'm currently reading about JWT bearer tokens, maybe that's the thing that should be used instead of .AspNetCore.Cookies?..
Option 2. I could "pretend" that the mobile app is the same as the browser and send exactly the same requests as my web frontend does. I suppose this sounds very complex - I'd need to store cookies, follow redirects (to the cognito built-in ui, for example) - I don't know if there is a built-in mechanism? However, in this case the app doesn't have anything to do with cognito, talks only with my backend, and is just following redirects. AppAuth states that Authorizing the user occurs via the user's web browser, so perhaps it can be used here?
Perhaps there are other options that I overlooked; I'm almost sure there is a simple solution I just can't see at the moment. Sorry it's all over the place, this is a very new topic for me. Thank you in advance!
I am to build an android app that needs a central cloud storage (along with some server coding). My app is somewhat in the footsteps of
https://play.google.com/store/apps/details?id=com.justyo
I mean i should be able to store a login and registration (possibly FB login in the future too). Then, i will also have to maintain and fetch users' 'friends' in the app along with a status (that can be changed any time by the friends).
I am not new with android dev. I also know ample amount of web development. However, i don't know the approach to this kind of an app that is to use some server side code and online db for android.
I have search a lot on the internet and have found a bunch of stuff, but i am just not getting the confidence as to which approach is what i need here.
Is there something pre-built and given by Google themselves?
Do i have to by a domain, deploy a hidden (UI-less) web service and access it through the android app?
is there a free option out there by google?
Is there a sample demonstration android app out there?
I don't need the code or anything. I am just confused; afraid of starting off in the wrong direction. Please answer so it is easy to understand.
Thank you in advance :)
There is the Google Cloud Platform, specifically App Engine. You can read the Docs here.
You dont't need to register a domain to use the platform. Yes, you will need to deploy a (not necessary UI-less) web service to the cloud, accessed from the Android client through endpoints. Additionally, the service is free up to certain limits.
Sample apps are available for deployment once you create a project from here.
Forgive me, but this is a vague question:
I am wanting to build an Android and iOS application to interact with my web application.
For example: Within my Android and iOS app, I am wanting to authenticate the users through my current web application, which currently is Laravel 4.2. The only tutorial I can find (which I'm sure is out of date) is - TutsPlus
My question is, do you have any more recent tutorials on web authentication (registering users with their tokens) / push notifications (sent from a server) etc... The script I can see on the above example is both vulnerable to MYSQL injection and has a lack of SSL.
Many thanks for your help in this. I know there is no right and wrong answer, this is mainly just for guidance for someone starting out in mobile development!
Try using HttpClient
Appcelerator has an example in there.
In essence, you're posting to the same URL as your web page, or another with a more mobile appropriate response
As for SQL injection, you can perform basic validation yourself, but remember for Http requests, clients can be bypassed, which is why you want your validation to be server side
I'm developing a standard Azure .NET cloud service with a sql backend. The sql db holds various bits of information including username and password details. I've a .NET app that communicates with Azure using message encryption over WCF using a custom username/password validator. Also I've got two mobile apps written for Android and iOS which currently use some web services I've defined in an small .asmx file (legacy code to enable the mobile apps to easily call the API). I was wanting to add authentication into the mobile apps, but am slowly sinking under the weight of information :)
I had thought Azure mobile services were the way to go (meaning I would have to rewrite the .asmx file using custom API presumably) but this only seems to offer authentication against identity providers like Google, Facebook etc. Ideally I'd want to use our sql backend as an identity provider, but have read various articles saying this is very tricky to do. In fact one article suggested using a commercial solution called Auth0.
I'm not averse to commercial solutions, but really just wondered what the simplest approach to this should be. Azure mobile services or something else?
Any help steering me in the right direction would be great.
You can do "custom" authentication using your own database as the identity provider if you want to but as noted it does require a bit of work (at least more than just turning on Facebook / Twitter / etc). I have two articles that explain how to set up custom auth using Mobile Services here:
http://chrisrisner.com/Authentication-with-Windows-Azure-Mobile-Services
http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-PikShare
The second link provides information on simplifying the scripts involved as well as using the custom API functionality of Mobile Services to handle registration / logging in. For the most part these scripts can be dropped into your mobile service. However, since you have an existing database you'll want to connect your Mobile Service to, you may run into issues making sure the table structures match up with what Mobile Services expect. You may need to massage your schema / create a table specifically for your Mobile Service with the necessary user information if adding the existing table doesn't work right away.
I am trying to write an app that will have a web interface for business owners who can select a specific Android mobile app user via querying a database and then have either the website or database(a little unsure about how this would work) push information to the queried user's phone to create a notification for them via the app.
I have never created an app like this and the connection between the website, the database, and the mobile app on a user's phone are all a mystery to me. I've searched the Android developer website and cannot find anything that will accurately explain how to do this, and have also Google'd the topic without much luck.
All I ask is for someone to point me in the right direction to place the pieces together, any information you can provide would be greatly appreciated, thanks!
Your solution will almost certainly involve Google Cloud Messaging.
Implementing GCM will involve a server in which all devices are registered with a central service. So you are half way there once you have GCM implemented. Well perhaps more so, almost everything you mentioned is basically just GCM.
http://developer.android.com/guide/google/gcm/index.html
For this you can use PHP programming to interact with the website.
Refer Android App interaction with Web
and also
Android App Development and Web Server Interactions
These links will be useful.Good luck..