internet-identity icon indicating copy to clipboard operation
internet-identity copied to clipboard

Published 20 hours ago verified publisher icon dfinity

Authentication using mobile apps

Open neokree opened this issue 2 years ago • 10 comments

Hello,

I was looking for a way to authenticate my ic identity on a mobile application (iOS/Android). From the documentation here it seems the authorisation flow is completely based on browser only capabilities, and there isn't a support for mobile applications yet. Am I wrong?

If it is I would like to help with the requirements to make this possible, opening to mobile apps support would be really cool for games and a lot of other applications

neokree avatar Jun 12 '22 14:06 neokree

Hi @neokree !

Yes, you're right, the auth flow is currently very browser centric. We would really love to have a "redirect"-based flow (instead of sending message between browser tabs) but right now there is no way to implement this in a secure way, as HTTP headers are not certified by the internet computer.

@frederikrothenberger is there a roadmap doc we can link to here?

nmattia avatar Jun 13 '22 10:06 nmattia

Hello @nmattia!

Sorry but I don't think I understood why a certified HTTP headers is necessary here.. Maybe with the roadmap doc I can see the challenge better.

From my point of view the authorisation should be done like in the OAuth2 flow for native apps, but there are some more challenges since I already found out that the security capabilities that you are using on II aren't available in in-app webviews, which means that we need to open the browser to do authorisation

neokree avatar Jun 13 '22 12:06 neokree

Hi @neokree

Sorry but I don't think I understood why a certified HTTP headers is necessary here.. Maybe with the roadmap doc I can see the challenge better.

Unfortunately, there is no such document that I can link to. But see my explanation below.

From my point of view the authorisation should be done like in the OAuth2 flow for native apps...

Yes, this is exactly what we are working towards. But the "OAuth2 flow for native apps" is based on redirects, i.e. it relies on the fact, that an app can open II with additional URL parameters and that those parameters can not be tampered with by an adversary (see https://datatracker.ietf.org/doc/html/rfc8252#section-4.1).

Unfortunately, this is currently not the case on the Internet Computer, because any single replica can by malicious and could send a redirect modifying the URL parameters instead of serving the II page as it's supposed to (this corresponds to the Authorization Server being malicious, which is not a scenario that OAuth 2.0 deals with). However, we can solve this problem by extending the HTTP asset certification to include HTTP headers, which is why @nmattia brought it up.

frederikrothenberger avatar Jun 13 '22 12:06 frederikrothenberger

Just tried authentication with Chrome on iPhone.. worked very well.. used biometrics.. not working in Safari though..

7flash avatar Jun 16 '22 09:06 7flash

If demos/using-dev-build is used to populate a replica and the replica's webapp frontend canister url (fronted by ngrok) is passed to ASWebAuthenticationSession then authentication seems to work on an iPhone running OS 15.6 in the Xcode development environment, though it does not return the authentication result to the caller. Is there an issue with this?

wombat888 avatar Aug 06 '22 21:08 wombat888

@wombat888 I'm not sure I understand. What is the setup exactly, is this running inside a webview? Is there any error thrown?

it does not return the authentication result to the caller.

Do you mean that during the client authentication flow your client is able to initiate the authentication but never gets the window message with the authentication result?

nmattia avatar Aug 08 '22 08:08 nmattia

I am calling ASWebAuthenticationSession from a Swift plugin in a Flutter app. The app does not explicitly create a webview. I haven't built a page that wraps the demo with the interface that the call expects, but it seems like it might work. Since the browser is invoked under Apple's control, it seems possible that the app would not need a special entitlement to access Web Authn. It felt prudent to see if the community saw any security issues before proceeding further, though.

wombat888 avatar Aug 11 '22 01:08 wombat888

Hi @nmattia, do you have updates on this issue? It would be really cool to have seamless integration with II from any device, native or web

I think this would open the door to many use cases

neokree avatar Dec 19 '22 08:12 neokree

Hi @neokree,

I think there's been a lot of progress in the direction of making HTTP headers (and redirects) certified. I think the design is done but still needs to be implemented. @frederikrothenberger will be able to tell you more once he's back from holidays!

nmattia avatar Dec 29 '22 09:12 nmattia

Unfortunately, the initial design we had does not work in practice. We would need to invest some more research time to finalize the design, however II research is very much tied up with attribute support so it is unlikely that we will implement this soon.

However, there is an example dapp on how to do authentication for a native iOS app: https://github.com/dfinity/examples/tree/master/motoko/ios-notifications

I hope this helps!

frederikrothenberger avatar Jan 04 '23 12:01 frederikrothenberger