On Fri, Jan 4, 2013 at 2:57 PM, dlypka <[email protected]> wrote: > But are you reconnecting to the same web2py session on each request? >
That's how OAuth Providers work (for the most part) Would be good if we could create an OAuth Provider in web2py though… > On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: >> >> I reviewed your code again and looked into the source code for web2py to >> see how web2py deals with session login cookies. >> >> For what I want to accomplish, I believe I have found a method which does >> not involved changing web2py source code. It's simpler and more straight >> forward for me to wrap my head around (also not having to worry about >> storing cookies in the app). Please let me know if there's anything >> important I am missing or security flaws that I should consider. >> >> >> 1. Embed webview into native Android app, using auth.login_bare to >> authenticate. >> 2. On login success, return a token of similar format to web2py's session >> cookies. >> 3. Store this token in the database (in a table named 'tokens'), and send >> back to Android app as a cookie >> 4. For every request to my web service that requires authentication, send >> the token as a cookie and have the receiving API controller function >> extract the cookie/token. If the token is currently in the db.tokens, then >> the user has been authenticated and the request returns the appropriate >> data. >> 5. On logout/password change, delete the issued tokens for this user from >> db.tokens, so the same token can't be used to authenticate for future api >> calls. >> >> On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: >>> >>> I was not precisely calling from a native Android or native IOS app. >>> I was using a PhoneGap client, which is different. It is looks like a >>> web browser but is not a browser client. >>> PhoneGap can only use HTML5 storage unless you write a native Android / >>> IOS PhoneGap extension/plugin. >>> So my technique will work from almost any client platform, even from a >>> Windows native client app for example >>> as long as it uses HTTP. >>> >>> Also, in my tracing of how web2py handles the client connection, I >>> believe I found a few wrinkles in the sequence of events >>> which needed to be handled specially in this case where the client is >>> not a web browser. >>> >>> In your particular case, if you have cookies in the native client, then >>> that is one less problem to solve, >>> You probably just have to mimic the HTTP messages that a browser would >>> send. >>> >>> On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: >>>> >>>> Thanks for the responses, and Happy New Years to you guys too! >>>> >>>> dlypka, for your cookieless solution, it assumes that the client app >>>> can't store/extract tokens? In the Google Android link above, it says that >>>> both Android and iOS can read and extract the tokens/cookies. So when the >>>> Android app calls the Web2py app, wouldn't it just pass in the cookie/token >>>> and have Web2py verify it as it Web2py normally verifies session login >>>> cookies? >>>> >>>> >>>> >>>> On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: >>>>> >>>>> :-) >>>>> >>>>> >>>>> >>>>> On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: >>>>>> >>>>>> Yes it is my New Year's Resolution to make time to put it in a Slice. >>>>>> >>>>>> On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro >>>>>> wrote: >>>>>>> >>>>>>> Perhaps this should go in a web2pyslice? >>>>>>> >>>>>>> On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: >>>>>>>> >>>>>>>> I developed a solution for this. >>>>>>>> I posted it here: >>>>>>>> https://groups.google.com/**forum/?fromgroups=#!topic/** >>>>>>>> web2py/YVYQHRJmcos<https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos> >>>>>>>> >>>>>>>> Happy New Year! >>>>>>>> >>>>>>>> >>>>>>>> On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: >>>>>>>>> >>>>>>>>> I am currently trying to authenticate users on an Android app to >>>>>>>>> my Web2py application. I am not comfortable implementing this on my >>>>>>>>> own >>>>>>>>> without some guidance/advice, as I'm worried about the security of the >>>>>>>>> login information becoming jeopardized. >>>>>>>>> >>>>>>>>> >>>>>>>>> I am following the guideline for authentication outlined by Google >>>>>>>>> here: >>>>>>>>> https://developers.google.com/**accounts/docs/MobileApps<https://developers.google.com/accounts/docs/MobileApps> >>>>>>>>> >>>>>>>>> Another outline of what how I'm trying to accomplish >>>>>>>>> Authentication outlined here: http://stackoverflow.com/** >>>>>>>>> questions/7358715/**authentication-model-for-**android-application<http://stackoverflow.com/questions/7358715/authentication-model-for-android-application> >>>>>>>>> >>>>>>>>> >>>>>>>>> The first step, and my question, is how I would generate a token >>>>>>>>> to return to the Android app after the user has successfully logged >>>>>>>>> in. It >>>>>>>>> is suggested that this token be in the same format to what Web2py >>>>>>>>> uses for >>>>>>>>> session login cookies, except with a 'mobile' flag indicating the >>>>>>>>> token can >>>>>>>>> only be used for API calls, and doesn't have the short lifespan of a >>>>>>>>> browser session. >>>>>>>>> >>>>>>>>> Any help would be greatly appreciated, as I haven't read too much >>>>>>>>> about authentication to web2py from an Android app. >>>>>>>>> >>>>>>>> -- > > > > --
