What is the best and secured way to store authentication token in web and mobile application ?
In the mobile store the token using the UserDefault in iOS and SharedPreference in Android. Likewise in the web use cookies to store data.
Reference for UserDefaults: https://www.hackingwithswift.com/example-code/system/how-to-save-user-settings-using-userdefaults
Reference for SharedPreference: https://www.hackingwithswift.com/example-code/system/how-to-save-user-settings-using-userdefaults
Reference for cookies: https://www.tutorialspoint.com/javascript/javascript_cookies.htm
Related
I am a beginner when it comes to authentication.
I recently created a login screen using ADB2C's custom policies.
I believe a token is issued at that time, where is it stored?
cookie?localStrage?
I'm sorry for my ignorance, but please let me know.
It depends on the application type - did you develop a single page app[SPA], asp.net app, or windows WPF? Based on the client side library it will be stored - in case of browser based app, it will be in cookies or localStorage. For instance, if you used MSAL angular module in angular app, then the value of cacheLocation when you called PublicClientApplication method determines it.
I have a Xamarin forms mobile application that is accessing my app service up in azure. I want to secure the APIs so that only my client application can access them. The mobile app does it's own user/password authentication/authorization, so I don't need AD or a 3rd party for that. I just want to secure my APIs. All examples I can find seems to assume there is an AD user authenticated and I can pass a token from that. Is there a simple way to use the Azure "expose api" functionality without using an AD user? The mobile app is using REST api calls, so I'm also struggling with how to even pass in a proper authentication token if I can put one together. Thanks in advance.
One way to secure is adding an API Management in front of your API's and require subscription, then only calls with a specific ocp-apim-subscription-key will be accepted. I don't recomment storing the ocp-apim-subscription-key value in your app as anytime you need to change it, a new version of the app will be required. I recommend returning it after a succesful login by your users, this way, you're free to rotate the ocp-apim-subscription-key key when needed.
Since you are trying to validate the client application only and not the end user, you should either look into OAuth 2.0 - which has a more complex implementation since it encompasses both application and end user authentications - or you could set up JWT authentication which is simpler and which purpose is to authenticate either client applications or end users, not both at the same time like OAuth.
After your implement the authentication on your API(s), you send over the generated token(s) over a Authentication header on your Requests.
I am building a Flutter For Web Application that needs to store the credentials in a secure way, to allow the user to automatically login, how can i achive this?
In typical web applications (whether flutter_web or not), it is not wise to actually store the user's password in the browser in a cookie or in html storage. One technique some use is to have a persistent cookie that stores the username and a temporary authentication token of some kind that is encrypted with a private key. The authentication token is temporary but exists on the user record in the database and can be used during the time it is allowed to be valid in place of the user's password. This way the user's credentials aren't persisted in the web browser - only the username and the token in an encrypted, persistent cookie.
From what appears to be in the dev preview of Flutter web is that it produces web applications, and I am assuming that standard web development techniques for user security for any and all web applications should be used.
You can use this package
Seems to me it supports both web and android
https://pub.dev/packages/password_credential
Is there any way to keep server side sessions in node js for requests coming through mobile applictions, Or it is in a way compulsory to use other methods like jwt?
As we do in Web applications, i.e Store the user information in the session on login and use the same information for later api calls.
Yes, there is and the simplest solutions is to use JWT, you can implement jwt authentication in you node.js server with any approach you want like: passport-jwt, express-jwt,... or even yourself with just jsonwebtoken npm package.
then for keeping mobile application authenticated with server, store the jwt token in mobile local storage and when app is opened just check the storage for if the token is exist or not and when there is jut add the token to the header and practically your mobile app keep a seesion open with server.
and for more information about jwt i ask a question about difference between session and cookie that might help you:
Authentication: JWT usage vs session
I'm trying to build a mobile app that has a login functionality with an ASP.NET web api, and I need to implement the token based authentication,
what I need is, as a first time the user login using username and password, a new token will be generated with expire date along with a refresh token, I'm thinking of the refresh token because the user doesn't have to login every time the token expires,
the token is saved in the mobile device and in the database, so with each request, sends the token whether in the request header or with the posted data,
I don't exactly know how the token based authentication works in terms of sending the token encrypted or hashed to the user and processing the request in the server
Edit:
an attacker in the middle can just read the token and start sending requests to the server using the token. I mean he doesn't need to know what the token actually means.
I created a class that has these properties (UserID,Token, RefreshToken, ExpiryDate), but I read that it is not a good approach,
I'm using AES for encryption and SHA256 for hash
Thank you for you help,
Please see the following articles in order to understand how token based authentication works in ASP.NET Web API.
http://www.codeproject.com/Tips/821772/Claims-And-Token-Based-Authentication-ASP-NET-Web
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Search OpenID and OpenID Connect specs, they will tell you exactly how the tokens should work in your case (non-confidential implicit client flow). You can add OpenID endpoints easily to your asp.net web api if you don't want to use an external openid server.