AWS Cognito keep authenticated session in web view - javascript

We have a native Android app where we are using the the latest version of the Cognito SDK to authenticate the user.
The problem we have is that the Android app uses a Web view and in this web view we will need to fetch the current cognitoUser with its authenticated session.
We are using the latest Cognito javascript sdk in the web view.
How do we share the auth between 2 clients that uses the same user pool?
Update 04/10-2017
I managed to bypass this by sending everything Cognito related i had in my local storage as query string parameters. Then "in" the webview i saved the settings to that local storage.
It is not right but it works ;)

I believe this is not possible. The web-view has its own storage that is not shared with the device storage.
So the user context - users tokens, login state etc - is not shared between the webview and the Android SDK on the device

I have now been in contact with persons that are experienced working with Cognito.
The judgment was that we can bypass this by sending all Cognito related values as query parameters to the application behind the web view.
The application in handling the web view will then take all those values and save them to local storage.
Problems I had:
I found out that if you have multiple Clients you will have to pass the clientId of the application behind the web view.

Related

How to allow multiple login from one platform

I hope you are doing well!
We are working on a project that consists of 3 projects/websites. It's basically something like a Management Platform for the resources, a Platform to display information and updates, and a Platform to manage both those platforms. (Something like Office365 and PowerPoint, Word, Excel where Office365 is the main application between them).
In our project, we want to integrate a navigation drawer in which the user can navigate to the different application from our 3 websites without having to re-login. In this case it would be easy. However, would there be a way that if the user access the other website from the browser (ex:"www.exameplwebsite.website2.com") we login the user directly if he was already logged in to a previous application from ours?
We thought about local storage however the local storage and cookies accessible depend on the domain we are accessing.
Is there a way to make this happen? Or would using a navigation drawer the only way possible?
(For context we will be using ReactJS)
I think it wouldn't be that hard with JSON Web Token (JWT) for authentication. When you redirect the user from one site to the other do it with a post request and include a JWT token in it. The new site can capture that token and send the token to the browser and the browser can catch it and saves it into its own localstorage.
I can think of two solutions ->
Use micro frontends (Recommended)
If all three apps have different domain names (app1.com, app2.com, app3.com) then you're right you cannot share any token using cookies and local storage.
Here, You can take the login/signup pages and the navigation drawer into one parent app and load all your other apps using micro frontends.
Use SSO
SAML and OIDC are made for this specific purpose but this is a very complex topic. Basically, your users will need to log in once(at someplace like google or OneLogin or your own identity server)

Is it possible for a webapp to access a native Android app's sqlite db?

I really need to get an imei number to my webapp to register the device. I have made a simple native Android app that gets the imei and was hoping to put the number somewhere locally on the device that the web app could then come and check for.
I can put the imei in an sqlite db ok from the Android side of things, but not sure if I can access that specific info from the webapp.
Would there be a better way to achieve this?
Sqlite db created by a native app is sandboxed for access by other applications. So you cannot do what you are trying to do.
Add your web application as a webview along with your app that provides you the imei number. Then your webview will have access to the sqlite db or the IMEI number directly.
If you are trying to authenticate the device using IMEI info then it will be a wrong approach as this information can be easily faked. At the most IMEI should be used as a username and not as a password.
a quick hack
Use the native app to get the imei.
From the app Generate a URL like this www.yourdomain.com/'Replace_with_IMEI_NUMBER'
Once the user clicks with some client side server side coding you
can store the received IMEI number in the browsers Local storage.
The next time your web app is opened you will get access to the local storage which contains the imei number.
But once the local storage is cleared this step has to be repeated.
I do not think you can access the db application Android. But you might save the imei in a DB to be questioned later.

Authenticated users with both Android and web (JavaScript)

I try to sync data for a Cognito authenticated user using the new User Pool.
From what's suggested here:
"Note that the generate client secret box must be unchecked because the JavaScript SDK doesn't support apps that have a client secret."
On the other hand for Android only apps with a client secret are supported.
So I added 2 apps to the User Pool, one with a client secret and one without it.
However, in the Identity Pool I can only add one App Client ID as an authentication provider.
So I get: "com.amazonaws.services.cognitoidentity.model.NotAuthorizedException: Token is not from a supported provider of this identity pool." when trying to use an authenticated token for the Android app.
Am I doing it right, or am I missing something?
Thanks!
Figured it out.
It is possible to add multiple (up to 100) apps or "audiences" to an OIDC provider through the IAM as explained here
So I set up the OIDC and added it as the authentication provider to the identity pool.
Since you already worked out a solution, one additional thought:
On the other hand for Android only apps with a client secret are supported.
The Android SDK for Cognito User Pools should allow you to handle apps without a secret, you should be able to just set that value to null. Check out the sample app for more details, if you are interested.

Maintain login state om chrome packed app

I am creating chrome app, I would like my users to login or create a user when they first enter the application.
The goal:
Maintaining login state on chrome packed app.
The problem:
Cookies - Chrome packed app have no cookie API, meaning that "document.domain" exists,
But you can't set cookies, at least not using http request.
Extension- There is not access to browser extensions (for a non-sandbox pages)
Couldn't think on other solution, Any idea?
You could store the session id in the application storage via chrome.storage.local.set chrome.storage.local.get methods.

Azure Website Single Sign On accessing Azure Mobile Service from Azure Active Directory as User

I have an ASP.NET MVC website deployed as Azure website (called website). That website has a section that needs authorization. I already have set up Windows Azure Active Directory (WAAD) to protect access to that section. Once that protected section has loaded, it will load a Javascript app that allows integration with the Azure Mobile Service.
I also have a separate Azure Mobile Service that I use for data storage (called mobserv). I want to access mobserv table and api endpoints from website. I am using the .NET backend for Azure Mobile Services.
Of course, I need to protect those mobserv endpoints using [AuthorizeLevel].
Tutorials show how to do this when I want to authenticate as Application (using [AuthorizeLevel(AuthorizationLevel.Application)]) - just add a reference to the proper Javascript Client (MobileServices.web-1.2.5.js), provide mobserv app id and token. CORS is set up to allow interaction. So far, so good.
But now, I want to protect certain endpoints using [AuthorizeLevel(AuthorizationLevel.User)]. So now, the request has to be authorized as User. Since the website already has been protected by WAAD, I do not want the client to perform a new sign in for the javascript client - I want to reuse the current WAAD authentication headers to have a Single Sign On Experience, so that mobserv will recognize the user.
I have not found any hints on how to do this. Tutorials only show application level auth against mobserv or using explicit login dialogs.
Does anybody have a clue how to do this?
Following up on vibronet's post, Mobile Services does support HTTP POST of an access token, but the access token must specify the audience as your mobile service. So a token issued for your website will not work on its own. You will need to transform it through one of the AAD flows.
So in AAD, you need you have two web application registrations, one for your web site and one for the mobile service. On the mobile service registration, you would need to define permissions that can be exposed to the other resource. The first section of the Mobile Services + ADAL tutorial ("Register your mobile service with the Azure Active Directory") walks you through this. Then, instead of registering a native client app which accesses that permission, you would go to your web site registration and configure the access there.
Once you have an AAD token for your website, you can leverage this permission to get a token for the mobile service. This can best be accomplished using an on-behalf-of flow in the Active Directory Authentication Library (JS or .NET, depending on where you want to do things). The AAD team has a nice sample on how to do this, and mobile services also has a tutorial which might be helpful, although it does mobile service access to SharePoint Online as opposed to web site access to a mobile service)
Then you can send the token to your mobile service using the "client flow" method, as described in "How to: Authenticate Users" for the HTML/JS SDK. For AAD, the call will look something like:
client.login(
"aad",
{"access_token": "<TOKEN-FROM-AAD>"})
.done(function(results){
alert("You are now logged in as: " + results.userId);
},
function(error){
alert("Error: " + err);
});
The user will not see any new UI, but they will be logged in, and subsequent calls from the SDK will be authenticated.
It might also be easier to do this from your MVC backend. I believe you can get the access token from the ClaimsIdentity, and then you can just use the Mobile Services .NET client SDK to do the login action and facilitate calls from the MVC site to your mobile service:
JObject payload = new JObject();
payload["access_token"] = "<TOKEN-FROM-AAD>";
MobileServiceUser user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, payload);
token reuse 'as is' cannot be achieved given that the tokens you get for website are scoped to your app and should be rejected if forwarded to any other resource. From the AAD perspective there are various flows that would allow you to trade in your original token for a new token meant to be used with a web API - all without requiring any new action from the user. However your scenario includes some Mobile Services specific moving parts, hence I am not sure how that would apply here. I am flagging this post for the Mobile Services guys, hopefully they'll be able to chime in.

Categories