Comments (4)
I believe all of this can be done without any changes on the library level by doing auth in the native web browser and after this calling your own, custom handler to get the token. This is very similar to what we do in the provided example. All you need to change here is to respond with the token retrieved from the request. From this point, assuming you can capture the token from browser's response body and pass it back to your mobile code, you will attach it to each https request as a header (default is X-JWT
).
In the plan you described above the step (2) is unclear to me, namely the part "ensure the redirect_uri is sent to my app on iOS and Android". I have no clue how this can be done on multiple levels. First - how exactly are you going to have such a dynamic redirect url and the second - how this redirect will even reach your app. I.e. such app needs to act as a server and have ports open and properly forwarded on lan, which is an unrealistic expectation. Another thing I don't really get is the "authorization code" you mentioned. Why you need an authorization code if you can use an existing one, i.e. JWT?
Pls note - I have zero practical experience with mobile development, so maybe all I said is complete nonsense ;)
from auth.
Hi @umputun thank you for a very quick reply. I'm not an expert on mobile dev either, however from what I tested, my choices are: use a native browser but then I can't touch the cookies in request nor in response OR I can use a webview inside my app (=tiny browser) but that won't have any cookies set up - so my facebook user will be "logged out" even though they use facebook on the device. Neither of the two options look appealing from a user perspective.
Hence my attempt to pass information to the app from the native browser via a redirect URL. On mobile devices one can actually register "deep links" so on certain URLs, the system (iOS, Android) actually wakes up your app and passes the url to it instead of visiting a website.
If I could access the JWT and pass it to my app as part of that redirect_uri in a parameter, the problem would be solved but I don't see how to do that but I could be missing something. Somehow I had an aversion to passing the JWT through a GET request in the parameters, hence the authorization code (short lived, use only once).
from auth.
I can use a webview inside my app (=tiny browser) but that won't have any cookies set up
Well, I think as you do auth flow it will act as a real browser and will get JWT cookies. I believe, it has nothing to do with your primary mobile browser because this webview widget runs in its own sandbox, or whatever it called on the mobile platform.
Quick googling gave me this article https://www.freecodecamp.org/news/how-to-build-cross-origin-communication-bridges-in-ios-and-andriod-7baef82b3f02/, so looks like it is possible to get webview content from the app. And after you have it you don't need any cookies and all you want is to set a header in each http request. You could also store jwt in your app store and present it the next time user starts the app. If the token expired go-pkgz/auth will try to refresh it and if it expired for real - you could start the login procedure again.
On mobile devices one can actually register "deep links" so on certain URLs, the system (iOS, Android) actually wakes up your app and passes the url to it instead of visiting a website.
If this the case I don't really see a difference between passing JWT in vs some auth code. If for whatever reason, you leak the code it will lead to the same issue as leaked token
from auth.
I fully agree with what you wrote. The problem with webview I mentioned earlier was perhaps badly presented. I was actually able to get the webview working and was able to initiate the login flow to facebook and it was clear how to extract cookies. The inconvenience to the user is on the provider credentials side.
In my case: I am logged into facebook app on my phone and my native browser is authenticated as well (I can verify this by launching the oauth2 request in the default system browser). Yet inside my webview I was presented with a login prompt. This is because the FB cookies are not present in the webview I just created - I have to log in again. This is what I was tryng to avoid by iniitiating the oauth2 flow in the default system browser and somehow extracting data back.
The tradeoffs here are clear and there's likely no easy way to move data from system browser into the app as is, so webview it would have to be. Thank you for your consultation!
from auth.
Related Issues (20)
- Support OpenID and 3rd party IdTokens with cookie-less authentication HOT 7
- Auth status handler panics if user didn't finish the auth process HOT 2
- Support work/school accounts from Azure AD in addition to personal Microsoft accounts
- Bug: auth should also check if xsrf token is set in cookies after checking via headers HOT 12
- twitter oauth now required to use oauth2 - unless you have elevated access HOT 4
- Give an access to bearer token, aquired during authentication proccess HOT 12
- Avatar store connection problems HOT 1
- Bug: (/_example) Using "Login with custom_123" results in "Invalid Request" HOT 2
- [Q] Why don't we use refresh token? HOT 2
- Password in GET is Insecure HOT 1
- Add Mastodon? HOT 1
- 2fa support
- Cannot disable avatar support HOT 4
- Dependency error while downloading auth on Go 1.20 HOT 4
- How to implement Google One Tap
- User email and info on Google Log in
- remove bluemonday as an unreliable dependency HOT 2
- Is there a way to use the token after login? HOT 1
- Planned support for anonymous auth? HOT 1
- XSRF Protections Blocking Browser-sent GET Requests HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth.