Application-Gateway icon indicating copy to clipboard operation
Application-Gateway copied to clipboard
verified publisher icon The-OAG-Development-Project

Authentication for Mobile Apps

Open gianlucafrei opened this issue 4 years ago • 3 comments

For mobile apps a cookie-based session mechanism is cumbersome to implement. Also, in contrast to a web-browser we can store a long term credential on a mobile device. Therefore we need a mechanism to support mobile apps or other client capable with persistent login. (e.g. mobile apps, native applications, external clients)

Proposal: We add support for pass-trough authentication without any user session.

OIDC

  • In the login-provider configuration the JWK-Url must be defined of the pass-though tokens
  • If the request contains a valid Id-Token in a configured HTTP-Header, we create the user model from the id token
  • Downstream authentication is not changed. That means the id token will be replaced with the OAG generated JWT unless otherwise specified in the configuration.
  • No state is stored on OAG

GitHub (OAuth2 but not OIDC)

  • Because GitHub does not have any kind of id-token and the access-token is opaque, the only option is that the client send the access-token with the request, and OAG uses the GitHub API to get the user information.
  • We would need to cache the user information on OAG to avoid a GitHub Api lookup with every request

Implementation The login driver interface gets an additional method checkPassthroughAuthentication(HTTPRequest)->UserModel that is called if no session cookie is found. If the method returns a UserModel, this is used. If the method returns null, the request is anonymous. If a InvalidAuthenticationException is thrown, the request is blocked.

gianlucafrei avatar May 06 '21 09:05 gianlucafrei

@Padi-owasp Does this make sense for you? Any improvement ideas?

gianlucafrei avatar May 06 '21 09:05 gianlucafrei

See Mail comments ;-)

Padi-owasp avatar May 07 '21 15:05 Padi-owasp

Hoi Gian-Luca

Ich habe neulich dazu etwas zusammen gestellt für Oliviero (Anhang, wollte das nicht auf GitHub laden).

Generell:

  • Ja, es braucht einen «easy-login» für Mobile Apps.

LG

Padi

From: gianlucafrei @.> Sent: Donnerstag, 6. Mai 2021 11:30 To: gianlucafrei/Application-Gateway @.> Cc: Padi Steger (OWASP Switzerland) @.>; Mention @.> Subject: Re: [gianlucafrei/Application-Gateway] Authentication for Mobile Apps (#81)

@Padi-owasp https://github.com/Padi-owasp Does this make sense for you? Any improvement ideas?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gianlucafrei/Application-Gateway/issues/81#issuecomment-833381229 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ASQQG6MHV3722IQWTMCEEZTTMJOSTANCNFSM44GVIFAA .

Padi-owasp avatar May 07 '21 15:05 Padi-owasp