For the past few days, I have been wondering about the authentication issue in mobile applications. I am in the process of implementing a mobile application using React Native.
I'm also implementing an API for this application using .NET Core 6.0 technology and I'm trying to use OpenIdDict library.
One thing I can't understand: mobile applications nowadays when trying to login with login (mail/login/phone number) do not redirect to a separate login page, which should be hosted by an authorization server.
So how do apps use PKCE (if they use it at all)? Is it possible to implement PKCE without hosting such a page? Is it possible to implement an authentication server on the same server where the resources are available? Are two servers even necessary for the secure operation of such an application?
I have an Azure Mobile App service that I use with my (Cordova and Xamarin) mobile apps. The URL for the Mobile App service is https://gonzo.azurewebsites.net/ (not the real URL). I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
My next step was to create the website and use a different URL https://kermit.azurewebsites.net/. I use social authentication for my app mobile service. When I debug it locally against localhost, everything works perfectly. The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
I thought this can be fixed by allowing the kermit origin in my Azure Mobile App service in CORS. I even tried setting CORS to allow all hosts (*) but that didn’t make a difference. Any idea how to make this work?
I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
Based on your requirement, I assumed that you could deploy your NET Core 2.0 Web App along with your mobile app, at this point your two applications could share the authentication. For Detailed tutorial, you could follow Deploying multiple virtual directories to a single Azure Website.
The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
According to your description, you are using the App Service Authentication / Authorization. I would recommend you directly access https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name> via the browser to make sure you have successfully set up the authentication for your mobile app.
If I understand you correctly that you want to create another Azure Web App to hosting your NET Core 2.0 Website, and your website wants to connect with your mobile app. Here are some approaches, you could refer to them:
For accessing mobile app in the front-end of your .Net Core web app
You could leverage the JavaScript SDK for Azure Mobile Apps in your .Net Core web app to access your mobile app. Details you could follow here. Additionally, if your website would also enable the app service authentication, you could just send GET https://<your-netcore-webapp-name>.azurewebsites.net/.auth/me to retrieve the access_token, then use the Client-managed authentication for logging with your mobile app in the front-end of your netcore website.
For accessing mobile app in the back-end of your .Net Core web app
I assume that your .Net Core web app would also need to enable social authentication via using the App Service Authentication / Authorization, and in the backend of your website you could retrieve the access_token for the current logged user, then you could use Client-managed authentication for logging with your mobile app. The logging request would look like this:
POST https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name>
Payload: {"access_token":"<the-access-token-for-the-specific-social-provider>"}
Moreover, for retrieving the user logged infos (including the access_token,etc.) from App Service Authentication / Authorization (EasyAuth), you could follow this issue.
Currently our app uses OAuth requests in web-views.
Google will not allow OAuth requests in an embedded browser called "web-views".google_developer_blog
So, we are planning to use Firebase Authentication.
This method is not in best practice, but I would like to tell you if there is any problem.
Thank you in advance.
Google OAuth plans to deprecate embedded webviews. However, you are OK to use SFSafariViewController for iOS apps and Chrome Custom Tab for Android Apps. If none of these are supported, you can open a system browser. All of these flows are allowed for OAuth flows and are more secure than embedded webviews.
I am trying to make an app using Ionic in Mobile First.
The web application is has got both sso and WebIdentity(LDAP) for the login functionality....
How to approach for the Hybrid Mobile App?
I do not believe there is direct relation between using LDAP in IBM MobileFirst Platform and using SSO in IBM MobileFirst Platform.
SSO in MFP allows you to automatically login to app2 if you have already logged-in in app1.
So assuming your are able to login to app1 via LDAP (which is server-side anyway, to check your credentials against a list of users), and assuming you have correctly set-up both apps for SSO, it should work.
Read about setting up SSO: http://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.dev.doc/devref/c_device_single_sign_on.html
Facebook offers an Objective-C library, but it uses web browser session too.
Is there any browser-less way to do authentication?