Current situation
We have a very common system architecture with Spring Boot back-end and Angular front-end. For the mobile app we use Ionic, which basically uses same codebase as the front-end but adds additional features like biometrics etc.
User login is based on OAuth and access and refresh tokens are created once the user initiates the session. The access token has a short life span, where the refresh token is valid for a couple of days. As I said - very common auth flow.
What we want to achieve
Mobile app users should be able to login only once and then use the
app without the need to re-login every time the refresh token
expires.
For the "normal" front-end app refresh token expiration
policy should stay unchanged, meaning the user is forced to log in
again once the refresh token expires.
Possible solutions (from my perspective)
we pass an additional param to the login request specifying the client: web | mobile. If client is mobile refresh token validity is extended to expire in 1-2 years. Downside: this will break the whole idea of having tokens, that expire. I personally see this as a security issue.
we store credentials on mobile app local storage. Once we have session expiration, the app uses the credentials to re-authenticate. Downside: again I don't think this is a good idea having credentials stored on any device makes the flow vulnerable.
What I am looking for is kind of a best practice to solve this.
You are right, It's a security risk to have tokens that never expire or expire in a few years but they are used. Anyway, one thing you could do is to add a field in the refresh token endpoint that when you set it to true (defaults to false) it would also extend the lifespan of the refresh token. And you could periodically call that endpoint from your app. It should work even when It's in the background.
Or
If you wanna store the credentials in the local storage at least store them encrypted. You might need to create an endpoint that encrypts them because you should not have the private key in the mobile app. Then you'll probably need to create a custom authentication method that takes the encrypted credentials and compares them with the ones in the database.
Related
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
service account - server to server interaction only works with workspace domains. No authorization popup required.
Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
I am using gapi.auth2.authorize to authorize people in my Google Photos API app but I cannont find a why to unauthorize or disconnect them from the app. What I have noticed though is that there is no way of using an old access token so that the user doesn't need to authorize.
How can I make the access token invalid?
Is it correct that every time the API is used the user has to authorize?
Thanks
How can I make the access token invalid?
Not possible to invalidate an access token, it will expire after 1h
You can check documenttation here
Is it correct that every time the API is used the user has to authorize?
Nope, you should ask users to authorize only once, using a refresh token that you can keep in your back-end, thus allowing your app to content on on users behalf all the time, until they revoke permissions
My question may be answered here, Are sessions needed for python-social-auth, but I feel as if I'd be making assumptions and would like to be positive regarding my understanding (NOTE: I'm not using django, I'm using mongo express react node, I'm guessing django might come with sessions built in or something). I followed this guide https://medium.com/hyphe/token-based-authentication-in-node-6e8731bfd7f2 to add token authentication and user login to my CRUD web app, works great, users are authenticated properly, routes are protected. However, everywhere I read about the fundamentals of session and session management states that "every web application in the world that maintains user data has to deal with sessions" (source: https://nodewebapps.com/2017/06/18/how-do-nodejs-sessions-work/). Currently, my react client uses setInterval to regularly check if the access token will expire soon enough to receive a new one via the refresh token. Is implementing sessions required for my app? If so, what is it that they add that I am missing?
It depends on the type of application.
If the resources being accessed using a token are not user specific, then sessions are not useful.
However, in a scenario where the resources are unique for different users (e.g. one has to sign in, etc), then it's wise to implement both sessions and access tokens.
Remember that tokens can also be saved within a session. Checkout 'express-session' to implement sessions in expressjs.
I'm developing a mobile app which will allow users to browse without signing up. I would like to have all my endpoints secured via token.
How would we go about allowing anonymous browsing? i.e. provide a token to anonymous users.
Not sure to understand your case, why do you need a token if your users aren't registered and your API opens to everyone?
The authentication system of Strapi has been built to only send token to registered users. However, the easiest way to make it work for you is to register every visitor coming in your app based on their IP or something unique as a username and set the same password for each one of them. Then, every time the user comes back, you can call the /auth/local URL to sign-in the user and get the token or use the token stored in the local storage.
I've integrated Spring Security OAuth in my JAVA backend so that my mobile Android application (using the Facebook Login SDK) can benefit from Facebook Login. In the current flow, the APP uses Facebook Login SDK to fetch an access token from Android, and then passes to the JAVA/Spring backend. Then, another OAuth access token (specific to our backend) is issued and sent back to the application.
I wish I could automate the testing, in other words being able to generate fresh Facebook access tokens. And then test the whole stuff into the access to resources on my backend. My entry point is a Facebook access token.
I've failed in generated on-the-fly access tokens, then looked into never expiring tokens, I could hard-wire in my tests.
However, I've failed in generating never-expiring tokens : at best, changing a short-lived token to a long-lived token returns a token valid for 2 months only.
I've also tried https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxxxxxx&redirect_uri=http://www.xxxx.com&granted_scopes=email,public_profile , but this only works when my cookies are available (only works from my web browser).
Also tried getting a device code, but I was stuck at the point where I had to "simulate" the user submitting the code into the web form.
Is there a known way to automate the testing ?
As #The1Fitz explained, "you cannot get a never expiring token anymore. You will need to make do with the maximum 2 month expiry date."