I'm developing a Rails app, and in some moment the users will need to use a smart card for authenticating into the app. I know how to implement this using a Java applet, but I was wondering if there exists a native way of doing this using the browser and avoid using an applet. Any ideas?
Thanks in advance!
The only option to interact with a client device (like a smart card) using the browser is to use a separate container, such as Java applets, Flash, Silverlight or native browser extensions.
If you use SSL client certificate authentication (which is the best option when considering smart cards for webapp authentication, anyway) you can rely on the built-in support in browsers, given that you have proper drivers present for your card(s) on client machines.
Related
I'm not sure there is a "proper" way, but before I just bodge together my own incompatible implementation, perhaps there's something in all the standards that can fit my need?
Here's the situation: Apple has declared that apps on their phones MUST include all standard functionality inside themselves. No more iframes with web content! If you need to show stuff from web, open the system browser (Safari)! Unfortunately we need to display stuff from web, so here we go...
Now, the app requires authentication which the user has done previously. We store whatever tokens we need. When the time comes to open the browser, we don't want to force the user to re-authenticate. We need to somehow pass the access credentials to the browser, and preferably do this securely. Furthermore, the webpage in the browser will need a token obtained from our OpenID Connect server.
Unfortunately, the only point of communication between the app and the browser is the URL, so everything that we give will be there, in plain sight. I know that OAuth was pretty worried about this, so much so that they made it impossible to intercept authentication with just the stuff visible on the screen and instead using things like single-use intermediary codes, backchannels and PKCE.
Unfortunately I cannot see any way to use the default flows "out of the box" to achieve what I need. I can think of modifications to those flows that would do it, but I'm not a security expert so I'd rather go with something standard which is vetted by experts.
SCENARIO
It's a good question since many companies want to show existing web content in a secured manner within a mobile app, and to avoid an extra login.
WEB + MOBILE INTEGRATED SOLUTION VIA DISCONNECTED BROWSER?
Ideally what you want to do is pass the mobile app's JWT to the external web content in an HTTP header. iOS APIs such as openURL may not support this however.
You may have to pass a JWT in a query string, in which case I would try to follow a signed request model, though it is not trivial. I have used SalesForce signed requests though not implemented a full solution myself.
Mobile app calls an API method at POST /api/encrypt-token
API returns an encrypted payload that includes the JWT
Mobile app opens a web page at https://mywebapp?token=0a78904cwdu
Web UI calls POST /api/decrypt-token to get the JWT
Web UI stores the token in memory and uses it to call the API
You will want to prevent raw tokens being written to web server logs.
I believe the recommendation for this type pf solution is to use a one time key, as described in the above link. And of course the web session will have some limitations such as silent token renewal not working.
WEB + MOBILE INTEGRATED SOLUTION VIA WKWEBVIEW
In the past I've managed secured web content in a mobile app by making the Web UI get access tokens from the mobile app. This enables an integrated UX and you can use a 'standard as possible' OAuth solution.
When the Web UI runs within a mobile app's web views it no longer does its own OAuth handling and instead calls the mobile app to get tokens and trigger logins
This means there is a single login across web and mobile views, and the Web View gets all the benefits of mobile user experience, such as secure storage of tokens
The Web UI is no longer impacted by things like the web view aggressively dropping cookies
VALID USE OF WEB VIEWS?
Web views are probably not a good long term solution in most cases. I know that Apple are likely to reject apps in 2020 if they use any of these behaviours:
Use of UIWebView - the Cordova default - you need to update to WKWebView
Delivering an app that is solely a repackaged web site with no mobile views
Displaying web content of a dubious nature (ads etc)
I suspect that use of WKWebView used responsibly and justifiably would be accepted. I could be wrong though, so please don't take my word for it.
ONLINE SAMPLES
I will be documenting some stuff about mobile / web integration on my OAuth blog, including code samples.
What would be the best way to obtain an AAD token from an electron app?
Microsoft has 2 javascript authentication libraries: adal.js and msal.js.
Both are designed for browsers and not native Electron apps (For example - AAD won't allow for file:/// scheme as a reply URL).
Sounds like a long term solution would be native AAD packages (like Microsoft built for Apache Cordova), but since that's probably not going to happen any time soon, what is the best short-term option?
Azure Storage Explorer is a good example of an Electron app that does this. It even allows for being logged into multiple AAD accounts at the same time.
You might be able to check out what's going on in the app's dev tools. I've had a poke around and it looks like it uses adal-node npm package instead of the browser based js libraries.
It also looks like it uses an authorization code flow for obtaining tokens.
The Azure AD doesn't support the file protocol as the reply address. To develop the single page application, you can host it on the server and using the server URL as the reply address.
We are currently trying to add OAuth2.0 for authentication into an existing Adobe AIR mobile app for a client. We are trying to carry this out by using this library https://github.com/charlesbihis/actionscript-oauth2 from this article.
We have tried using instances of the 'StageWebView' class and the Feathers UI 'WebView' class to display the authorization prompt page within the mobile app itself.
When we publish the app locally on our development PCs, the whole process works ok. However, as soon as it is published to our iPad(s) for testing, it is almost as if some security setting stops the "embedded" website from communicating with to the server.
As the website we are trying to communicate with is a https:// address, I'm assuming that this might be causing issues, but I can't confirm this.
Has anyone out there found themselves in a similar situation?
Thanks,
Dave
I am looking to create a basic site which allows users to login (either through email or facebook authentication) and post their photos for other users of the site to comment on. Much like with like Facebook, I wanted posting, deletion and viewing photos/comments to be possible through an iOS app and through the site itself.
I have been carrying out a bit of research myself, and I can there being the following options:
Create a site in Django, and use the API framework Tastypie to allow the user to use the get/post/delete commands from an iOS app
Create a site fully in Django, and make this compatible with iOS devices using PhoneGap
Do you have advice on what approach to take - and whether there are alternatives?
It all depends. Do you need hardware functionality that only ios can provide?? If not it would probably be easier to create a web api and build a mobile optimized version of the site. This would let you build your business logic quickly in python. you could them build the client using jquery. This would provide the advantage of being optimized for any mobile device.
Is it possible to create a facebook app using the Vaadin web toolkit?
It is possible. At least there is one http://apps.facebook.com/possessed/ (not maybe the most beautiful one, but working). See also discussion at the vaadin forum: http://vaadin.com/forum/-/message_boards/message/169189
Definetely possible. As you have an iframe for your app in facebook and you yourself host the application so there is no limit for that. You may also want to use restfb for easily interacting fb graph api
You can create a Facebook application using any language/framework/etc. The application is loaded in a Facebook Canvas (iframe), but your application isn't hosted on Facebook itself, rather it's hosted on an external app/web server of your choosing. So, as long as your server supports the language of your choosing, you are good to go.