You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we are having hard times when SSO logins should be supported for native apps like react native.
The problem is, we don't want to use an "In-App-Browser" due to security concern for users. Such an "In-App-Browser" could be mocked and grab your user credentials.
Alternatively a native app would open the phone browser which then authenticates at the SSO and would finally redirect the user to the app using "Deep Link".
Here comes the problem. As the Deep Link only opens our app, the app has no access to the phone browser cookies nor will send them at requests. Even if it would send them, these cookies would be cleared when the user would clear the brower cache.
Therefore we have currently no access to the auth data when login in via SSO.
As a workaround we could create a custom endpoint which redirects to the app via Deep Link and passes as an argument a refresh token: #22427
This workaround is not very secure as:
The refresh token is exposed via the url, and the client therefore should clear them as soon as obtained
An attacker could create a malicous link which would redirect the user to the attacker exposing the refresh token. Therefore the "redirect" url has to be checked against a whitelist.
As this workaround works for native apps it exposes some challenges and security concerns. Either I am missing here how to send the auth_data to directus within an React-Native app, Accessing the cookie from the browser or something different.
I believe we need a possibility for a SSO-Login for the SDK Client: #19723
Basic Example
No response
Motivation
Support of Directus SSO Login for Native Apps
Detailed Design
An implementation and handling of the tokens from within the SDK-JS
Requirements List
Must Have:
Support of SSO Providers
Should Have:
An option to pass the refresh_token
Drawbacks
Alternatives
Adoption Strategy
Unresolved Questions
How to keep security up and to pass the credentials to the app?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Summary
Currently we are having hard times when SSO logins should be supported for native apps like react native.
The problem is, we don't want to use an "In-App-Browser" due to security concern for users. Such an "In-App-Browser" could be mocked and grab your user credentials.
Alternatively a native app would open the phone browser which then authenticates at the SSO and would finally redirect the user to the app using "Deep Link".
Here comes the problem. As the Deep Link only opens our app, the app has no access to the phone browser cookies nor will send them at requests. Even if it would send them, these cookies would be cleared when the user would clear the brower cache.
Therefore we have currently no access to the auth data when login in via SSO.
As a workaround we could create a custom endpoint which redirects to the app via Deep Link and passes as an argument a refresh token: #22427
This workaround is not very secure as:
As this workaround works for native apps it exposes some challenges and security concerns. Either I am missing here how to send the auth_data to directus within an React-Native app, Accessing the cookie from the browser or something different.
I believe we need a possibility for a SSO-Login for the SDK Client: #19723
Basic Example
No response
Motivation
Support of Directus SSO Login for Native Apps
Detailed Design
An implementation and handling of the tokens from within the SDK-JS
Requirements List
Must Have:
Should Have:
Drawbacks
Alternatives
Adoption Strategy
Unresolved Questions
How to keep security up and to pass the credentials to the app?
Beta Was this translation helpful? Give feedback.
All reactions