Authentication for Mobile Apps #81
Labels
enhancement
New feature or request
Comments
|
@Padi-owasp Does this make sense for you? Any improvement ideas? |
|
See Mail comments ;-) |
|
Hoi Gian-Luca
Ich habe neulich dazu etwas zusammen gestellt für Oliviero (Anhang, wollte das nicht auf GitHub laden).
Generell:
* Ja, es braucht einen «easy-login» für Mobile Apps.
LG
Padi
From: gianlucafrei ***@***.***>
Sent: Donnerstag, 6. Mai 2021 11:30
To: gianlucafrei/Application-Gateway ***@***.***>
Cc: Padi Steger (OWASP Switzerland) ***@***.***>; Mention ***@***.***>
Subject: Re: [gianlucafrei/Application-Gateway] Authentication for Mobile Apps (#81)
@Padi-owasp <https://github.com/Padi-owasp> Does this make sense for you? Any improvement ideas?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#81 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASQQG6MHV3722IQWTMCEEZTTMJOSTANCNFSM44GVIFAA> .
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For mobile apps a cookie-based session mechanism is cumbersome to implement. Also, in contrast to a web-browser we can store a long term credential on a mobile device. Therefore we need a mechanism to support mobile apps or other client capable with persistent login. (e.g. mobile apps, native applications, external clients)
Proposal:
We add support for pass-trough authentication without any user session.
OIDC
GitHub (OAuth2 but not OIDC)
Implementation
The login driver interface gets an additional method
checkPassthroughAuthentication(HTTPRequest)->UserModelthat is called if no session cookie is found. If the method returns a UserModel, this is used. If the method returns null, the request is anonymous. If a InvalidAuthenticationException is thrown, the request is blocked.The text was updated successfully, but these errors were encountered: