I've been trying to work out authenticating users into my app, which is running inside a MS Teams Tab application, and I'm having issues in mobile.
To authorize requests in the application, we just need to have a cookie in place that the server sets when the user authenticates. So for this to work inside Microsoft Teams, I've been trying to just send the token to the iframe and set the cookie. Everything works pretty well on web and desktop, but on mobile (I've tested only with iOS so cannot really tell about Android), the cookie doesn't work at all.
I've tried to set some test cookies and read them, and it doesn't work. So my question is if there is a way to work with cookies in mobile? Is it an issue on my end or has it been disabled in the web view that loads the tab? Is there a way around it or any suggestion that would help solve my problem?
Thanks for the help!
Related
Google just changed their oauth model to the new specification:
Modernizing OAuth interactions in Native Apps for Better Usability and Security
I am trying to follow (specifically section 7 of) the ietf "draft-ietf-oauth-native-apps-09" linked in the above blog, and also this reference from google:
OAuth 2.0 for Mobile & Desktop Apps
The issue I have encountered is that the custom uri-scheme behavior varies across browsers, and in some cases does not work as expected. In Firefox, which maybe be the default system browser, the app actually open inside Firefox, embedded - it does not return to the app it embeds the app in the browser, while the app from which the authentication flow was started remains open.
In chrome, it correctly redirects back to the app, however the chrome page with the authentication confirmation page remains open and does not close, which could be confusing to users.
How can I make sure that the oauth provider will always redirect to my app (without the browser embedding it), and close the tab or window which had the authentication flow open?
I need to integrate google contacts import in my nw.js app. How should I create the google app ? When I create the app as web app, it asks for redirect uri which is not available for desktop apps. I'm not clear about how to implement google integration for desktop apps. Can anyone help me on this. ?
There is an option in OAuth for desktop applications, when instead of http://domain you will redirect to app://something and you application will be started or receive a callback.
To make this, in your application you need to open request token url in new window (new window in your node-webkit app).
Also: google docs and node-webkit github issue and other issue about this.
For me I thought better would be open a default browser, there is a high chance that user already authenticated, and then just need to click "allow". So I start simple webserver inside node-wekit app and redirect to localhost.
You can see implementation in my project https://github.com/Paxa/postbird/blob/90cfb53b1775310eb2f262c8b54c9dba15b5cc0a/app/heroku_client.js#L185
To open default browser I use command "open" (only for mac)
child_process.spawn('open', [url]);
I also try to close browser window when user redirected back, it works but not always.
response.writeHead(200, {"Content-Type": "text/html"});
response.end("<script type='text/javascript'>window.close();</script>");
May be I should also make a window active when receive redirect back (didn't try it yet):
var currentWin = require('gui').Window.get();
currentWin.focus();
If google not allows to make localhost as a callback url, you can try to use some domain (even free) and point it to 127.0.0.1 or use http://readme.localtest.me/
I want to make a hybrid app for iOS and Android by wrapping the MVC4 mobile website into WebView/UiWebView. However i want the login screen to be a native view.
How can I submit the username and password to my MVC4 controller where i can check them in the database and after authenticating to redirect the user on another page? Notice that i have implemented a login form on the MVC web site also.
Should i use a ajax call from the mobile app? Can you provide some code example/tutorial/video?
That might be a problem because MVC is going to make some session cookies with tokens in it. So even if you were to get logged in using some kind of ajax call or setting headers and data and posting to the login process you still need to make sure that those tokens and cookies get set. And are useable by the Webviews.
I am not saying it can't be done just that it might be difficult.
Sometimes, the login screen will appear if the user clicks the back button and then chooses another link, instead of the content that should be displayed. It's like the application suddenly thinks the user is not authenticated. The user then has to re-authenticate to continue browsing. This happens while the user is actively browsing, so no timeout should occur, and after authenticating, the content is shown (so it's not an authorization problem).
This problem is unfortunately quite difficult to reproduce. The user who has experienced the problem most often is using Windows XP with IE 7, but the problem has also appeared with Windows XP and IE 8. I can't seem to reproduce the problem on Windows 7 with IE 9 or Chrome 18, but because the problem is difficult to reproduce, I can't say confidently that the problem is browser or browser version dependent.
Our ASP.NET MVC 3 app uses Forms Authentication with role information stored in a SQL Server database, and membership information in Active Directory. Hosting environment is IIS 7.5 on Windows 2008 R2.
Has anyone else seen this problem, and know of a workaround?
On the server, I guess that you are using a custom IPrincipal which you need to reattach to the request thread for each request? Are you doing this in an HTTPModule or in global.asax? What page event are you hooking into to authorize the thread?
I have noticed differences in authentication being available in different runtime contexts dependent on which event I use. I now always use OnAuthorizeRequest and check that application.Context.User != null.
But the symptoms you are describing sound more like the authorization cookie is missing from the request intermittently.
Add some debug logging for each request and monitor cookies and authorization to see if you can detect the conditions that cause it.
We have a client that wants to lock down thier pc's to only use our web application.
So I've enabled content advisor to only access this site. However it seems to lose the login session and keeps throwing the user back to the login screen. When I disable content advisor the app runs as it should.
Has anybody exprecienced this before, and can anybody help me solve this.
The pcs are Windows XP using ie8
Cheers