We want to use a technical user in a mobile application (iOS). This user needs to access MS Graph API.
I currently find no method to acquire a token from mobile without any UI interaction.
Is there any way we can achieve this is a clean way?
In the case of devices and operating systems (e.i. IoT) that do not provide a web browser, you can use the device code flow, which lets the user use another device (computer or mobile phone) to sign-in interactively. Here's more info on using device code flow with msal.
Using a mobile device, which is a public client, has many ways of acquiring a token (including silently, assuming a token is already in the cache), most of which involve a UI. Public clients are run on devices or desktop machines and are not trusted to safely keep application secrets. Here's more information on public client applications for msal .NET, which supports Xamarin iOS.
Related
I am trying to make a desktop application with Twitch API and Google API.
Since this application requires Twitch user permission, a user needs to authorize my application through twitch's OAuth and I think there's no way to omit this process.
Now, I want to add some functionalities from Goole APIs, for instance TTS.
My application will be installed and run on user's local machine,
it cannot store API key or credential information safely.
I think I have three options:
Add Google OAuth: This is most safe way, I think, but I don't think I can convince users to authorize another Google account even though they already authorized their Twitch account.
Make a kind of proxy server which verifies request for Google API using twitch authentication information and relays request to/response from Google API. This seems feasible but it requires additional payment to running server for sending data from Google API. I already have to pay for TTS service, another payment for proxy server which sends binary data frequently would be a financial burden for me.
Make a server to acquire API key for Google API. This also requires additional server, but it does not involve lots of traffic because application will access Google API directly once API key acquired. However, I concern that the API key may be easily stolen using monitoring tool such as wireshark.
Which method should I use here, and how can I improve it?
Or, is there better way for this case?
The common way to push notification is get the token from client side, and then pass this token to the server side, finally server use this token to send any notification user want. But for test purpose, there is no actually client device, how to get the mock token from server side?
#mohax's answer is correct. I'd like to add a little more:
You cannot get push token without client device request for token. But you can use HMS Toolkit or Cloud Debugging to test your app.
For Huawei emulator on Android Studio, you can install HMS Toolkit. As a lightweight IDE tool plugin, HMS Toolkit implements app creation, coding, conversion, debugging, test, and release. HMS Toolkit provides Cloud Debugging for you to perform 24/7 uninterrupted testing on your app running on remote real devices. With this function, you can learn about the running status of apps on Huawei devices anytime and anywhere even if no device is available, device types are not completed, or an error cannot be reproduced.
Cloud Debugging can be used on a single device for 2 hours each time. Before the validity period expires, you can release the device and apply for the device again.
For more detail about the guidance of how to use HMS Toolkit and cloud debugging,You can also refer this link.
WhatsApp just announced a new web application see here.
For some reason, the interface requires the phone to be connected all the time. Is it for performance reasons (not to create additional load on their current servers)? Is there any other constraint that cause that?
The official explanation:
Your session on WhatsApp Web is an extension of WhatsApp on your
phone. WhatsApp Web connects to your phone to sync messages, thus you
can see all messages on both devices. Thus, the first requirement to
being able to use WhatsApp Web is an active WhatsApp account on your
smartphone.
Source: https://www.whatsapp.com/faq/en/web/28080002
As you may know your Whatsapp history is only being stored in a database on the phone itself. To see that history in your web browser, it needs to get it from the phone. Whatsapp could have redesigned it, so that everything is stored in the cloud (as many competing messaging apps do). But that seems to be against their philosophy. They keep it tighly coupled to a (one) phone. As you may know you cannot install Whatsapp on multiple phones using the same account. The web interface is just a remote for Whatsapp running on your phone.
And even though I don't know for sure, I think it's more secure too. It wouldn't surprise me if the data that's sent between the web app and the phone is encrypted in a way that even Whatsapp themselves cannot decrypt. Maybe the QR code is generated client-side (in the browser) and by scanning it using the app there is no need to exchange the keys through Whatsapp's servers. That way they don't ever get the encryption keys and will not be able to inspect the data that gets routed through their servers.
Note: Of course Whatsapp could at any time change their implementation of both the app or the web app and enable eavesdropping.
I'm about to finish an app that will run on Windows Phone and Android. It uses an azure web API and push notification service.
I was wondering if there is any standard or recommended way of protecting the 'signup' or 'register' functionality within an app like this? I note that some popular apps like snapchat will send you a text to verify the registration process. That would be ideal but obviously seems unfeasible for a modest app such as mine :-)
Can anyone enlighten me to some common ways to protect the 'register' functionality of a mobile app?
Thanks for any help!
Azure provides feature sets like Azure Mobile Services that provide authentication features that you can use in your Windows Phone apps. I doubt the authentication Azure Mobile Services uses is restricted to just Azure Mobile Services, but more information on getting started with this authentication can be found here:
http://azure.microsoft.com/en-us/develop/mobile/resources-wp8/#header-2
How are people handling the distribution for Enterprise apps on WP7?
I have an app that is real basic and only has some static info, but I don't want to put it in the Public Market with the Hidden option enabled because that doesn't seem secure enough. It seems like if there was a way to verify that the user has a company email account setup on the phone on startup that would unlock the app, but I dont think thats possible.
There's currently no features in assisting for enterprise apps. You'll have to verify the authenticity of the user in your application, by requesting credentials, or requiring the application to be on a company network (or visa versa).
As for distribution, hidden publication is the only real option you have, as beta-distribution is limited to a few accounts.