there.
I have my app's authentication running over an IFrame (it reuses an already functional structure shared by other systems based on web browser and it's MUST BE done this way). The iframe works just fine on all the enviroments (Android and iOS, emulators and devices), so we are good with it running that way.
My problem is: on the web systems, the auth process sends back an apache's session/cookie which tells the browser that a user is already authenticated and all other systems that shares the same auth protocol just knows the users are good to go without another 'sign in' process. When the user closes the browser, those session/cookies are cleared and when another window tries to access our system again, a new sign in form is presented to use make a new login. I need to reproduce this "cleaning" on my app but I don't know what, exactly, to clean.
I've already try the cache clearing methods available but nothing seems to do the trick I need.
Any clues?
PS: If I go to the device's seetings and clear all the app's data from there, I can make it work but is not a good way from the UX's perspective.
Thanks in advance!
Related
We are adding modern authentication (OAuth/OIDC) to an application that currently uses Windows integrated authentation for single sign on. The user signs into Windows workstation and those credentials can be used by many applications with authentication happening transparently over Kerberos.
Our app is a dot net web services based application and we have a client for users with browsers and a desktop client in WinForms. The browser scenario is no issue as the identity provider stores information in the browser that can be reused across applications in a similar way to WIA (IWA), but we are unsure the best way to handle the WinForms desktop application case. Currently the WinForms application opens a browser window to authenticate using the typical browser based method. The details from the identity provider are passed through the browser back to the WinForms app using a redirect and a custom protocol based URL.
This all works fine, but the user experience is not super tight and, for the case where the user is already logged in, requires them to press a button in the browser window as current Chromium based browsers seem unwilling to do a redirect without a recent user interaction.
Is there a better way?
The standard options according to RFC8252 are as you describe:
Log in via the system browser
Use either a loopback or private scheme based URL
I have a few blog posts about this and it is a tricky flow. The posts link to code examples you can run that explore the UX a little. You may find that a loopback URL avoids the need for a button click, though personally I think private scheme based URLs are cleaner.
There are UX things you can do, such as an interstitial web page to better control what happens in the disconnected browser. I have seen companies redirect to their own website after desktop logins, to make the UX better.
In the longer term I expect this to be replaced with API Driven OAuth Flows so that you never need to leave the app. For now you may have to live with some UX linitations, but it is the right flow from a security viewpoint.
I want to move my angularJS web app to ionic hybrid app. I have done a lot of work all ready however I am confused on "autologin" topic. There are a lot of different information on internet, also the official docs are a bit unclear to me.
The scenario I am looking for is standart - on first lunch user creates account, logs in and next time he open app he is already logged in.
A lot of resources suggests to use localstorage. However there a some threath that it is not safe because IOs can clean localstorages.
So if that is not a good option, what is? Cookies?
I have spent hour reading and testing different approaches but well even more confused than ever. It seems to me as such important feature of hybrid app that there should be a good implementation... Would appreciate any help/suggestions/examples/links...
My ultimate goal would be that once authorized user can access and manipulate his profile data even if in offline mode. That means that opening app allready logs him in an his profile info is stored as well.
My minimum viable goal would be that when app is opened app recognizes user, checks as logged in, redirects to logged in state and makes http to get all user details. While user is waiting for that response there are loading spinners but he can start to use logged in app experience
I am working in Cordova ionic app, where I have stored token in localstorage. But it's not a good process. Have a look at Google FIREBASE. They have a good solution for you.
I thought of using localStorage as it will support pc browsers as well as mobile applications
but i am not sure whether it will serve my purpose or not.
LocalStorage is the way to go. It persists information without expiration date, presumably forever, or until the user unistalls the app or erases the application data. Check out w3schools documentation for some good examples to get started.
What's the best way to implement authentication for mobile app that will be secure and also wont annoy the user by asking to authenticate every time the app starts? In other words, for the first time after installing the mobile app, the user needs to register/login, and after that the app always works without asking to authentication.
Native mobile applications ask for credentials when using the app for the first time, but subsequently they don't require login. The app just start and try to connect to data network (wifi, 3g, etc.), if it finds the data network then it loads the latest data, else uses the data that it was able to fetch last time it could get access the data network. Also, the app is able to reconnect automatically when data network is available and fetch the latest data with out user intervention.
I tried to develop similar features using meteor mobile app (accounts-password, useraccounts:core, useraccounts:ionic), however the app quite frequently times out and asks for re-login everytime the data network is lost. Sometimes it even hangs on the login screen and the only way out is to kill the app. The behavior seems very similar to a web app, where a session id is created and has an idle timeout, or forces login when internet connection has issues.
Any tips on how to store the credentials on first login and use it subsequent; and also good way of handling data network when disconnects are frequent?
Frameworks:
1. Meteor Platform
2. Ionic with AngularJS
3. ngCordova
Code Structure:
1. Common directory, where all the meteor method calls and schema definitions (simple schema).
2. Application files are organized as per guidelines (client,server, resources).
One of the solutions I found on stackoverflow:
Send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.
if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.
Appreciate your help, thank you!
Firstly, just letting you know I have searched a fair bit here and I am aware of some of the other questions on this topic but none answer my question.
The authentication of the Local GAE differs from the appspot deploy and I need it not to with minimal work-around code.
I'm writing an HTML5 app and I can do the google authentication via a button and it updates all the correct tokens so I can access the profile in either GAE Launched apps or appspot deployed ones.
I need the google account details of the logged in user within the app
I am writing (for API calls to calendar and contacts for example)
, and I'd rather not have to write a login handler only for my local development platform - automated for simplicity or otherwise.
I've read that adding login:required forces a login, and on appspot this works perfectly. Locally it does nothing useful.
I've read that you can write a Python decorator to use #login_required - but I'm not writing in Python (It's php generating an HTML5 page). I could write a bit of a PHP wrapper to handle it, or automate a call in Javascript on page load - but this is the workaround I don't want to write because it's handled in the production environment for me.
I want the login:required option as everything is handled for me in
production
. I have googled the options for the login tag and nothing there suggests I can force a google login in the locally launched app. I have googled the launcher and settings, but nothing seems apparent.
I suppose I could live with the dev workaround, and the app could assume I'm authenticated and the JSON request handlers in my app would just use the login:required with the correct google tokens being passed once I am authenticated.
Do I have any other options?
This sounds like it could be a PHP runtime bug. login:required works fine on the python local dev server. Have you checked the issues page to see if it's been reported?
https://code.google.com/p/googleappengine/issues/list
Otherwise it's possible that it's bypassing the login on your dev server because you have some cookie in your browser indicating that you're already logged in. You might try clearing cookies
Alternatively (at least on the python devserver), you can go to your login page via http://localhost:8000/_ah/login to force a logout (obviously fix the hostname and port number)
There appears to be no way round this other than to write the whole OAuth handler yourself (or get one elsewhere) - significant overkill for a development environment only 'issue'.
I have written the app to handle the getting of the google profile details as it starts and force an authenticate if they are not present.
This means that the login:required will work as expected in the production world and force you to authenticate to google before you even get to the application... then the app just gets the profile details because the tokens are already present.
login:required in the dev environment just puts up a screen which you just 'ok', then the app attempts to gets the profile details but forces the authentication itself because there are no authentication tokens present.
It's unfortunate, but it's a single step in a development that users will not have to use, but it works.