gianlucafrei
commented
3 years ago @Padi-owasp Does this make sense for you? Any improvement ideas?
Open gianlucafrei opened 3 years ago
gianlucafrei
commented
3 years ago @Padi-owasp Does this make sense for you? Any improvement ideas?
Padi-owasp
commented
3 years ago See Mail comments ;-)
Padi-owasp
commented
3 years ago Hoi Gian-Luca
Ich habe neulich dazu etwas zusammen gestellt für Oliviero (Anhang, wollte das nicht auf GitHub laden).
Generell:
LG
Padi
From: gianlucafrei @.> Sent: Donnerstag, 6. Mai 2021 11:30 To: gianlucafrei/Application-Gateway @.> Cc: Padi Steger (OWASP Switzerland) @.>; Mention @.> Subject: Re: [gianlucafrei/Application-Gateway] Authentication for Mobile Apps (#81)
@Padi-owasp https://github.com/Padi-owasp Does this make sense for you? Any improvement ideas?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gianlucafrei/Application-Gateway/issues/81#issuecomment-833381229 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ASQQG6MHV3722IQWTMCEEZTTMJOSTANCNFSM44GVIFAA .
For mobile apps a cookie-based session mechanism is cumbersome to implement. Also, in contrast to a web-browser we can store a long term credential on a mobile device. Therefore we need a mechanism to support mobile apps or other client capable with persistent login. (e.g. mobile apps, native applications, external clients)
Proposal: We add support for pass-trough authentication without any user session.
OIDC
GitHub (OAuth2 but not OIDC)
Implementation The login driver interface gets an additional method
checkPassthroughAuthentication(HTTPRequest)->UserModelthat is called if no session cookie is found. If the method returns a UserModel, this is used. If the method returns null, the request is anonymous. If a InvalidAuthenticationException is thrown, the request is blocked.