I\'m building a Webapp that uses OpenId to authenticate users, like Stackoverlfow does. There will be a mobile App too, e.g. Android or iPhone. These Apps have to authenticate o
The current OAuth specification (RFC5849) still requires that the user enter their credentials to the website that holds the protected resource. On a mobile app this user experience is not the best (as you pointed out requires the mobile app to display the auth page with a integrated web view). OAuth 2.0 addresses this issue by specifying different Access Grant types. This standard is still in draft. Until then, your best bet is probably to modify the flows of OAuth 1.0 to suit a mobile device as a number of big sites are already doing (e.g Twitter with xAuth and Dropbox with their developer API).
I'm doing something similar to option (1). Create a unique link (even just include the session id), then send it via SMS. There are plenty of cheap bulk sms providers with simple APIs to do this. When the user clicks on the url in the SMS it will open the mobile web browser and log them in.
After that, if the phone accepts cookies, you can set one. Otherwise the user will always have to come in via that unique link.
I have done the following to achieve this:
The mobile application extracts the token from the URL and uses it for authentication when talking to the server.
The WebLogin Activity looks like this: (note: you have to override "shouldOverrideUrlLoading" to stay in the same WebView. Otherwise, a new browser is open when you receive some redirect)
public class WebLogin extends Activity {
@Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState);
WebView webview = new WebView(this);
webview.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url){
view.loadUrl(url);
return true;
}
@Override
public void onPageFinished(WebView view, String url) {
if(StringUtils.contains(url, "?auth_token=")){
// extract and save token here
setResult(RESULT_OK);
finish();
}
}
});
webview.loadUrl("https://www.yourdomain.com/authapp");
webview.getSettings().setJavaScriptEnabled(true);
setContentView(webview);
} }
Note, I use https to make this save. If you use plain http, one could read and steal the token of a user.
[1]: http://developer.android.com/reference/android/app/Activity.html#startActivityForResult(android.content.Intent, int)