We run some dash apps in dockers, and we want to embed them into our platform (it's built with React for UI and Flask for API server). Our platform use Flask JWT for authentication. What's the best way to secure the embedded dash apps?
We are thinking embed the dash apps by using iframe. We want user to login to our platform to use the dash app. When user uses the dash app via our platform, user will not be asked for username and password again. But if user copies the dash app url to another browser, user will be ask for login(to prevent the url to be shared). How to do it?
thanks!
Related
when login using Auth0 Webauth in React-Native it opens the browser for login.
I want to create a smooth login so that the user should not able to experienced whether I logged in using App or Browser jut like a webview anyone any idea?
Just to be clear are you asking if Auth0 supports doing this without a browser? Given that it's likely using OAuth2 or OpenID Connect then the short answer is no.
Further to that WebAuthn is a browser-based Javascript API so by definition would require a browser with these features to be available.
That said, there's probably nothing preventing you from implementing a native WebAuthn-like experience using CTAP2 (the protocol that sits underneath WebAuthn) directly or a platform-specific wrapper around the same.
I was going through this link and they mentioned that:
In a WebView, any malicious code in the page has the same rights as the application. This means you need to make sure to only load trusted content. But there is another risk–a malicious app may also have access to browser content (like cookies) and may snoop passwords or intercept OAuth codes.
I was wondering why would Facebook implement WebView then if it had security vulnerabilities.
Is it good to use WebViews in React native mobile application?
I’ve been using Auth0 in my React web app. I also have a rule that works with new user sign ups. In my web (React) app, I use the Lock library and everything works fine.
Now, I created a React Native mobile app and because I have a custom login/sign up UI, I had to use the API method as opposed to using an Auth0 library such as Lock, etc.
My SignUp API calls work fine and create new users but my rule is NOT working with API calls. I checked to see if rules apply only to my web app but I don’t see any setting for that so I assume all rules should work for all apps that appear on my dashboard – including my new React Native mobile app.
The rule I created on Auth0 creates and assigns a new my_app_id to the new user. This rule has worked flawlessly with all sign ups coming from my web app which uses the Lock library but it doesn't seem to be firing when a new sign up comes in through the sign up API end point.
Is there anything I need to do so that my rule will work with my API calls?
Rules only run after a successful authentication event. This would not include a successful signup endpoint call, where no credentials are authenticated.
The recommended way to hook to a signup would be through a registration hook.
I am trying to test a react native app on android which uses a native library which does oauth-based authentication using a webview. Detox does not support webviews (yet) so I was wondering if I could tap on the keyboard using coordinates in order to get through the auth (bad I know, but gets me unstuck for now).
Since the oauth screen is outside your app, I'd recommend you do the following:
Create E2E tests for your login up to the oauth screen
Get a CLI for your oauth provider or figure out how to authenticate via node.js to get the auth token
Create a deep link path in your app that accepts the token as a param and stores it the way you'd store it normally and trigger a continuation of the login flow (you may need to reverse engineer your native lib slightly)
This is generally the approach you want to take if you are using an external authentication party. If the party providing the auth package doesn't support 2 and 3, you should raise the issue with them.
The whole idea is to authenticate App, App Lite, App iPhone, App iPhone Lite with single Box.com App ID and return the user to the right app which redirected to the user to the authorization/authentication web site.
My Conclusion till now leads to using different App Id, because of lack of option to add different Redirect url's and respectively possibility for [box-api] to recognize the right caller application.
Will it work if I try to embed auth url in UIWebView and handle the response from that webView?
We currently don't support this use case, and you'll need separate App IDs