We're trying to find a way to authenticate a client via a mobile application rather than using a captive portal splash page. Is this possible at all?
I've looked at the CloudTrax API but can't seem to find anything that directly indicates the ability to authenticate users.
Another option I considered was trying to make a http request which would return the splash page and then with Javascript, imitate a click event on the authenticate button..
If you use the cloudtrax http authentication then you should be able to do this fairly easily.
Cloudtrax HTTP auth sends an initial status request to your HTTP auth endpoint whenever a client connects to the wifi network if they haven't already got an authenticated session. This is before any login or captive portal popup is displayed. Your HTTP endpoint can respond to that request with an ACCEPT message along with session time and bandwidth restrictions. The AP will then just authenticate the device and allow it internet access without displaying any captive portal.
Not sure what your use case is for the mobile app (eg are you doing some other customer engagement inside the app?), but you could implement this without an app. Just push them to a captive portal the first time you detect their mac address, get them to register. Then all future connections can just be automated in the backend.
If you do need an app, then just do the registration part inside the app and have the app send their mac address to your backend server so the HTTP auth server can look it up in future.
Related
I want to secure my Web-App with Auth0 in React. This means a user can login on my page and use the resulting Access Token to make requests to services behind AWS API Gateway.
But Auth0 requires that all possible Callback URLs are defined in the Dashboard.
This works well as long as the Application is hosted on a domain owned by me.
In my case the React App will be distributed as a Plugin (Shopify, Woocommerce). My users will install this Plugin and use my App through their shopsystem-UI. Which means that requests from the browser are made from their domain.
How should I securely access my Services through this client which is distributed on Domains which i don't know beforehead?
As my research shows, one solution would be Dynamic Application Registration. But with this I would end up with one Auth0 Application per user and Auth0 Limits that to 100 Applications.
How should I handle my case instead?
I have a Nuxt application that interacts with NationBuilder, a 3rd party application. In order for users on my site to interact with data from their NationBuilder account, my app must allow them to authenticate over OAuth with the NationBuilder API.
The first step of this OAuth process works fine; My client sends a request to the NationBuilder API's /oauth/authorize endpoint. The browser redirects the user to NationBuilder's website where the user can login to grant my application access to their NationBuilder data. Then, NationBuilder redirects the user back to a second page on my site with query parameter in the URL containing what is called the "code". This second page on my site hits our internal API with this code, which in turn hits the Nationbuilder API's /oauth/token endpoint with the code to receive the access_token. Now we can use this access_token in any call to the Nationbuilder API.
The issue I'm running into is that when Nationbuilder first redirects the user to that second page in our Nuxt app, the reloading of my site takes a while and seems to be skipping some initialization configuration steps. I think this is the case because some of the functions that normally work when I boot up my site are not found.
I am in the process of developing the application, so I am running my site on localhost and using ngrok to create an https tunnel to satisfy the NationBuilder API. Maybe this issue is related to the tunneling?
I have a hunch I should be doing this all differently. If there is a conventional way of authenticating a Nuxt application with a 3rd party application over OAuth, please point me to an example/docs.
Cheers.
I use Google Webtoolkit together with Phonegap to build a mobile app. My app is communicating over a REST APi with my Backend Server.
What I want to do is a user authentication, i.e., my app user should be able to signup and login. If a user closes the app and reopens it, he should be authenticated again if he has not logged out before.
Usually, with Spring Security you do the authentication on the server by calling the required methods. The client (browser) then contains some cookie information for a persistent login.
1. How can achieve this kind of authentication for my app?
2. Should I do the authentication as for a normal web site with the only difference that the authentication methods are called by the REST api methods?
3. Is there another way of doing the authentication for my mobile app?
I think user authentication for the mobile app will be the same as for a normal web-app.
The Spring backend will create a session once a user is authenticated. By default the user is authenticated for the duration of the specific session (until the user closes the browser/app).
Spring Security has a Remember-me functionality that is typically based on a Cookie approach and allows the user to be re-authenticated automatically..
I don't know if phonegap work with Cookies (see here for some pointers). I guess it depends on the plattform (if webview supports cookies).
May be this will help you I wrote an article that show how to adapt Spring Security to secure REST services.
You can check it in here : http://crazygui.wordpress.com/2014/08/29/secure-rest-services-using-spring-security/
I also posted a working example which shows how I did use that with GWT on GitHub.
I am developing a BlackBerry application in which I need to use PUSH API. I already have registered with RIM and they have sent me the credentials for evaluation service. In my BlackBerry device, I installed sample push API application just to test that the push messaging works. After setting the content provider URL which is publicly accessible, I entered all the details for the sample application to register the it for receiving notification messages. When trying to register it asks for username and password but I don't know what they are for. In the email received from RIM, there are passwords for server application and content provider admin portal applications but not for the push client.
When I added an arbitrary username and password it fails with the message that java.lang.Exception Registration with Push API failed, caused by port is unavailable. But when I unregister it successfully unregisters the user with the given arbitrary username and password. By the I use the port given in the RIM's email.
I have no idea why this happens and I appreciate immediate response from you. Thank you.
The first thing to point out is that the RIM sample push application is ridiculously overcomplicated. The username and password you are referring to are used to authenticate against the sample push initiator web application which runs on your tomcat server. It doesn't matter what you put in there, they are not used for authentication. I can only assume they were added to show you that you can send a username and password to a web based service.
The only things you need in your BlackBerry app to register for the push service are:
Push Application ID (e.g. 2672-c870l6c924r1i298O4o33cc5391y0e75134)
Push Port (e.g. 31940)
BlackBerry Push Server URL (e.g. http://pushapi.eval.blackberry.com)
The port is unavailable message you're receiving is probably because the device you're using has not been provisioned for BlackBerry Internet Services (BIS). Make sure it has a SIM with an active BlackBerry data plan.
I'm currently planning a new web project. Clients are going to connect using a regular web browser and, in case of regular java-enabled cell phones, j2me client. I would really like to make use of the OpenID authentication. In case of regular web browser things are pretty straightforward. However, I am really not sure about installed applications (such as j2me client installed on a mobile device) - regular OpenID authentication is performed by entering username/password on a webpage of particular OpenID provider - which is quite a limitation :)
Has anyone coped with such a situation? Is it possible to create authentication mechanism to the site that uses OpenID from a mobile j2me client?
Currently, I think of solution that users who would like to connect from their mobiles download necessary j2me application from the server web site after they have authenticated themselves (regular browser authentication). The mobile client app could be assembled dynamically on the server with the SSL certificate embedded that is associated with particular logged in OpenID user. After that, j2me client could authenticate to the server without entering any username/password. The data that is going to be stored on the server is not THAT sensitive - considering cases of mobile phone thefts etc.
Can anybody come up with a better solution?
The best solution IMO for what you're doing is to use OAuth combined with OpenID. You're use of OpenID at the RP is fine. But for installed applications that need access to that web site, they should use OAuth to get authorized. The flow would work like this:
User installs app on their device
During install or on first launch, the app has an "Authorize me" button.
The user presses the button and a web browser pops up the web site that the client app needs to access data from.
User logs into that site using their OpenID
Site now asks "do you want to authorize client app X?"
User says yes and closes the browser.
The client app reappears and says "thanks." and now has the OAuth token necessary to access the user's data without the user ever logging in again.