How to authenticate a mobile App without username and password?

Question

I\'m building a Webapp that uses OpenId to authenticate users, like Stackoverlfow does. There will be a mobile App too, e.g. Android or iPhone. These Apps have to authenticate o

Answer 1

The current OAuth specification (RFC5849) still requires that the user enter their credentials to the website that holds the protected resource. On a mobile app this user experience is not the best (as you pointed out requires the mobile app to display the auth page with a integrated web view). OAuth 2.0 addresses this issue by specifying different Access Grant types. This standard is still in draft. Until then, your best bet is probably to modify the flows of OAuth 1.0 to suit a mobile device as a number of big sites are already doing (e.g Twitter with xAuth and Dropbox with their developer API).

Answer 2

I'm doing something similar to option (1). Create a unique link (even just include the session id), then send it via SMS. There are plenty of cheap bulk sms providers with simple APIs to do this. When the user clicks on the url in the SMS it will open the mobile web browser and log them in.

After that, if the phone accepts cookies, you can set one. Otherwise the user will always have to come in via that unique link.

Answer 3

I have done the following to achieve this:

• When the App first starts, I test if there is an authentication token and if it is still valid
• If not, I use [startActivityForResult][1] to open my login activity
• The LoginActivity uses a WebView and opens the "authenticate app" page (e.g. https://www.yourdomain.com/authapp) from the web application.
• If the user is not logged into the webapp, he has to do this now. Upon successful login, he gets redirected to the "authenticate app" page
• The "authenticate app" page contains the text "would you like the mobile app to access you data" and a "grant" and "cancel" button.
• If the user hits "grant" the web app generats a authentication token, writes it to the databse and redirects to a response page, attaching the generated authentication token to the URL (e.g. https://www.yourdomain.com/authresponse?auth_token=dshf84z4388f4h)

• The mobile application extracts the token from the URL and uses it for authentication when talking to the server.

  The WebLogin Activity looks like this: (note: you have to override "shouldOverrideUrlLoading" to stay in the same WebView. Otherwise, a new browser is open when you receive some redirect)

  public class WebLogin extends Activity {

  @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState);

  WebView webview = new WebView(this);
  webview.setWebViewClient(new WebViewClient() {  
  
      @Override  
      public boolean shouldOverrideUrlLoading(WebView view, String url){
          view.loadUrl(url);
          return true;  
      }  
  
      @Override
      public void onPageFinished(WebView view, String url) {
  
          if(StringUtils.contains(url, "?auth_token=")){
  
              // extract and save token here
  
              setResult(RESULT_OK);
              finish();
          }
      }
  });
  
  webview.loadUrl("https://www.yourdomain.com/authapp");
  webview.getSettings().setJavaScriptEnabled(true);
  setContentView(webview);
  

  } }

Note, I use https to make this save. If you use plain http, one could read and steal the token of a user.

[1]: http://developer.android.com/reference/android/app/Activity.html#startActivityForResult(android.content.Intent, int)