You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For mobile apps a cookie-based session mechanism is cumbersome to implement. Also, in contrast to a web-browser we can store a long term credential on a mobile device. Therefore we need a mechanism to support mobile apps or other client capable with persistent login. (e.g. mobile apps, native applications, external clients)
Proposal:
We add support for pass-trough authentication without any user session.
OIDC
In the login-provider configuration the JWK-Url must be defined of the pass-though tokens
If the request contains a valid Id-Token in a configured HTTP-Header, we create the user model from the id token
Downstream authentication is not changed. That means the id token will be replaced with the OAG generated JWT unless otherwise specified in the configuration.
No state is stored on OAG
GitHub (OAuth2 but not OIDC)
Because GitHub does not have any kind of id-token and the access-token is opaque, the only option is that the client send the access-token with the request, and OAG uses the GitHub API to get the user information.
We would need to cache the user information on OAG to avoid a GitHub Api lookup with every request
Implementation
The login driver interface gets an additional method checkPassthroughAuthentication(HTTPRequest)->UserModel that is called if no session cookie is found. If the method returns a UserModel, this is used. If the method returns null, the request is anonymous. If a InvalidAuthenticationException is thrown, the request is blocked.
The text was updated successfully, but these errors were encountered:
Hoi Gian-Luca
Ich habe neulich dazu etwas zusammen gestellt für Oliviero (Anhang, wollte das nicht auf GitHub laden).
Generell:
* Ja, es braucht einen «easy-login» für Mobile Apps.
LG
Padi
From: gianlucafrei ***@***.***>
Sent: Donnerstag, 6. Mai 2021 11:30
To: gianlucafrei/Application-Gateway ***@***.***>
Cc: Padi Steger (OWASP Switzerland) ***@***.***>; Mention ***@***.***>
Subject: Re: [gianlucafrei/Application-Gateway] Authentication for Mobile Apps (#81)
@Padi-owasp <https://github.com/Padi-owasp> Does this make sense for you? Any improvement ideas?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#81 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASQQG6MHV3722IQWTMCEEZTTMJOSTANCNFSM44GVIFAA> .
For mobile apps a cookie-based session mechanism is cumbersome to implement. Also, in contrast to a web-browser we can store a long term credential on a mobile device. Therefore we need a mechanism to support mobile apps or other client capable with persistent login. (e.g. mobile apps, native applications, external clients)
Proposal:
We add support for pass-trough authentication without any user session.
OIDC
GitHub (OAuth2 but not OIDC)
Implementation
The login driver interface gets an additional method
checkPassthroughAuthentication(HTTPRequest)->UserModel
that is called if no session cookie is found. If the method returns a UserModel, this is used. If the method returns null, the request is anonymous. If a InvalidAuthenticationException is thrown, the request is blocked.The text was updated successfully, but these errors were encountered: