Authentication using mobile apps #680
Comments
|
Hi @neokree ! Yes, you're right, the auth flow is currently very browser centric. We would really love to have a "redirect"-based flow (instead of sending message between browser tabs) but right now there is no way to implement this in a secure way, as HTTP headers are not certified by the internet computer. @frederikrothenberger is there a roadmap doc we can link to here? |
|
Hello @nmattia! Sorry but I don't think I understood why a certified HTTP headers is necessary here.. Maybe with the roadmap doc I can see the challenge better. From my point of view the authorisation should be done like in the OAuth2 flow for native apps, but there are some more challenges since I already found out that the security capabilities that you are using on II aren't available in in-app webviews, which means that we need to open the browser to do authorisation |
|
Hi @neokree
Unfortunately, there is no such document that I can link to. But see my explanation below.
Yes, this is exactly what we are working towards. But the "OAuth2 flow for native apps" is based on redirects, i.e. it relies on the fact, that an app can open II with additional URL parameters and that those parameters can not be tampered with by an adversary (see https://datatracker.ietf.org/doc/html/rfc8252#section-4.1). Unfortunately, this is currently not the case on the Internet Computer, because any single replica can by malicious and could send a redirect modifying the URL parameters instead of serving the II page as it's supposed to (this corresponds to the |
|
Just tried authentication with Chrome on iPhone.. worked very well.. used biometrics.. not working in Safari though.. |
|
If |
|
@wombat888 I'm not sure I understand. What is the setup exactly, is this running inside a webview? Is there any error thrown?
Do you mean that during the client authentication flow your client is able to initiate the authentication but never gets the window message with the authentication result? |
|
I am calling ASWebAuthenticationSession from a Swift plugin in a Flutter app. The app does not explicitly create a webview. I haven't built a page that wraps the demo with the interface that the call expects, but it seems like it might work. Since the browser is invoked under Apple's control, it seems possible that the app would not need a special entitlement to access Web Authn. It felt prudent to see if the community saw any security issues before proceeding further, though. |
|
Hi @nmattia, do you have updates on this issue? I think this would open the door to many use cases |
|
Hi @neokree, I think there's been a lot of progress in the direction of making HTTP headers (and redirects) certified. I think the design is done but still needs to be implemented. @frederikrothenberger will be able to tell you more once he's back from holidays! |
|
Unfortunately, the initial design we had does not work in practice. We would need to invest some more research time to finalize the design, however II research is very much tied up with attribute support so it is unlikely that we will implement this soon. However, there is an example dapp on how to do authentication for a native iOS app: https://github.com/dfinity/examples/tree/master/motoko/ios-notifications I hope this helps! |
and others
Hello,
I was looking for a way to authenticate my ic identity on a mobile application (iOS/Android).
From the documentation here it seems the authorisation flow is completely based on browser only capabilities, and there isn't a support for mobile applications yet. Am I wrong?
If it is I would like to help with the requirements to make this possible, opening to mobile apps support would be really cool for games and a lot of other applications
The text was updated successfully, but these errors were encountered: