New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The future of authentication ! #28
Comments
Cc @hoangdat thoughts? |
@Arsnael maybe too ;-) |
You support this for the target: manage devices to access to TMail backend? |
No we did not implement that long lived token flow on the backend yet, if that was your question :) |
The goal would be for TMail users not to use basic auth. The idea @hoangdat is that TMail mobile app do NOT store the user password when used with The side effect would then be to allow managing devices ;-) |
@chibenwa looks good overall. Any thoughts on the life of those tokens? long live token: a month at least I would guess? |
Unlimited? (That's OK IMO as they can be revoked and are only visible once. I hate apps asking me again my password...)
I was thinking |
Ok with that. We worked similar in LinShare with
|
I think so to have a good experience for user, no need to login and login again |
Yes it is the same flow. |
I modified the above to allow also generation of This allows web clients to generate secure short lived tokens of their own...
|
We could include that (or at least start talking about it) in tomorrow's grooming yes, sounds reasonable |
TODO detail login flow for browser... |
Flow detailsAuthentication against a TMail server (first connection)
Authentication against a TMail server (later connections)
Authentication against a regular JMAP server (first connection)
Authentication against a regular JMAP server (later connections)
Web authentication against a TMail server
Web authentication against a regular JMAP serverUse of basic authentication. |
@chibenwa how about I close this ticket? Or we still keep it in roadmap? |
Interoperability
TMail do support Basic authentication.
This enables TMail to work with ANY JMAP server.
TMail backend offers better option
The first call is done with basic authentication to get the session (credential are so far kept in memory on the device side)
If the session contains the
com:linagora:params:long:lived:token
then the client does a second call (authenticated with basic auth):Will return :
TMail mobile then stores this long lived token. Given that token, TMail will not need user input upon connection.
This long lived token can be used to generate short lived JWT token that can be used for auth.
Example:
Will return:
(if the device id matches, fails otherwise) - (also please note that this token will need to be frequently renewed ;-) frequent renewal enforce security.)
And follow up requests can be done with:
Note that one:
Eg:
Will return :
To revoke access to my IOS device:
And again, if the account do not support this extension, we NEED to support basic authentication.
Work to do
FastMail
with theTMail
application.com:linagora:long:lived:token
then I have anDevices
section that displays the long lived tokens and allow revoking the access.The text was updated successfully, but these errors were encountered: