Im doing an small cordova APP for android that use GCM plugin to connect to GCM and receive notifications.
I know all the working flow of GCM:
Server APP start
Client connect to the server, get the GCM Token and send to the server
Server store the client token
Client disconnect
Server can send push message to the client using the last token saved
If the client reconnect check the client token to update ir or not in the server
but I have a special case issue:
Server APP start
Client connect to the server, get the GCM Token and send to the server
Client disconnect
Server crash, lossing the client tokens
Server restart, without clien tokens
Server canT send push to the client because losse the client token, client still listening for push but server cant force them to update.
Exists some method to allow the server reset the client token or get the clients connected to specific GCM APP ID? Because if I need to restar the server and dont save the tokens, i dont know if the client is listening or not, and if the client token expires i never know.
Why don't you persist the token into a database ? Then you won't loose the tokens if the server crashes.
In addition, you can accomplish refreshing invalid tokens by checking the error response from GCM after sending a message to an invalid token, if you get for example Unregistered Device then all you have to do is to remove that token from your database. See more details here and here
Related
In Oauth and Openidconnect, the appserver endpoint invocation starts the Oauth flow and the app server gets the token from the auth server and is able to pass the token to resource server to access resources (delegation) on behalf of the resource owner.
The token exchange happens between the app server and resource server, and the token never arrives at the end users browser.
Q1: Does the app server store the token against the user?
Q2: At a subsequent appserver endpoint invocation by the user, how does the appserver know who the user is and which token is to be used to access the resource server?
(1) Yes. The app server will store the token for each user.
(2) It uses cookie to maintain the user session. The idea is that after confirming the user is authenticated (i.e get the access token) successfully , the app server will generate an unique session ID for this user and associate this session Id to the user 's access token. This session ID will then be sent back to the user 's browser as a cookie such that when the user 's browser sends subsequent requests to the app server , the app server can get back this session ID from the cookie and use it to get back his access token.
I am building a single page react app that uses redux as state manager and an express node js as backend server, but I don't know what is the best way to authorize my users in the application!
If it was a php or express-js website, I could use PHPSESSION or express-session to manage users sessions data but now the single page web application is separated from the backend and I can't manage sessions like before!
My idea is to make a session id for each new web request, then save it for client in local storage, then in the server store all needed informations in a database and when application have an API call, send that id in request header. Then we can check authorizations by using that implemented session.
But I thought if there was a simpler way to handle this problem that has no need to make a session implementation by myself.
(I don't want to use third party services like firebase or okta or save all session data in client part like JWT.)
At the end i implemented a custom session manager ( SessionMush ) so the client send a request to server and get a token id then use it to access its session in server.
Each session should be accessible by an identification token ( here knows as sid ) so the application can save that token to access and use that session. A server side state for your application can be use for saving clients auth state or any temporarily data about clients that you want to use them on server side so in your application you will save that identification token and then with each request you will send it in http headers then the server will know who you are and what was you did before on the application based on that saved session data in database (server side state for that id) so it can serve the needed information for you based on the client identity and it's state on the server. It created to be used as a express middleware and mongodb as data store.
When your application have no session and it loaded for the first time it sends a request to the server to gain an identity for itself When the request received to the server, server analyze the request and it'll find out that there is not exist any session id (sid) so it will make a new one for this request and add it to response header part so when the server decide to send the response it will send that created session informations too. The client should save that informations to use that session for its other requests. it can send that id in the request header part to show its identification. A session can be expire too when it doesn't used for a threshold time. so when the server get wrong or expired session it will behave to it like a request without any session so it will create a session for that request and send its informations like what we explained before.
I have build hybrid app and deployed it on IBM mobilefirst server 7.0. App contains android service which used to send data to backend server. After updating the android application on production I am getting
com.worklight.core.auth.ext.DeviceAuthenticator E FWLSE4007E: Received bad token from client. Server token:'ap6oohvlpd3ak1dmfivsqafebp', client token:'9u7ta9r1592qmvphssfclqn2h0'.
and also if I check ihs server then on IHS server I am getting 401 unauthorized. I guess it is because of token which WAS is send to client but in these case token is never going back to client,I think that is the reason I am getting 401 every time and my data not going to back end.
Please help me out to solve my problem.
Do we need to call WL.Client.Login API before submitLoginForm in MobileFIrst 7.1.0 while using Formbasedauthentication (LoginModule = LDAP).
IBM documentation does not mention it but we found that if we do not call it MobileFirst Server does not send any Challenge.But we call that before submitLoginForm we receive all challenge handler and got authenticated from LDAP.
Please Advice.
Yes.
submitLoginForm() is the step where the client side code ( challengehandler) sends the credentials to the server. This is in case of Form based login.
The challenge will come from the server as a result of the application connecting to the server by:
WL.Client.connect(). In this case, if the application is protected, server throws the challenge.
WL.Client.login(realmName). If this is a custom realm, the server sends a challenge to be handled.
Invoking a protected resource using WLResourceRequest. The server responds with a challenge.
When user enters wrong credentials to an earlier challenge
When the challenge comes, you handle it in the challengehandler. The handleChallenge flow in the client ends with the client submitting the credentials in the login form and sending it to the server using the API - submitLoginForm().
I'd like to know if each time my application runs I need to get the token and pass it to the server, or if it's only necessary once to register the application. Thanks a lot.
You need a token to register the GCM(push notification) to the Google Server. Then this token is passed and used in the server to send subsequent notification. This token should be persisted by the server so that it can be used to make API calls to the Google server. With this approach, your server and the Android device do not need to create a persistent connection and the responsibility of queuing and relaying messages is all handled by Google's servers.
For more information visit the Registering Client Apps and also check this documentation.