[web2py] Re: Returning a token for Android app authentication
On Thursday, April 20, 2017 at 2:57:44 AM UTC-7, Oasis Agano wrote: > > > The only challenge im facing is the needed customization on the W2P side > to allow the the app to login, and the route to use inside the mobile app > to pass the login credentials. > If someone can share a segment of the code it can be helpful. > Thanks. > > Discussed in the other thread (maybe even answered). /dps > On Tuesday, April 18, 2017 at 12:25:38 AM UTC+2, Dave S wrote: >> >> >> >> On Monday, April 17, 2017 at 1:16:49 PM UTC-7, Oasis Agano wrote: >>> >>> You mean that it doesnt require modifying core Web2py code? or adding >>> other codes inside your controller? because what i want is actually logging >>> in and storing a token returned by w2p. >>> >>> >> It is already part of web2py core, in all 2.14.x versions (and maybe some >> 2.13.y versions). >> I haven't actually used it, but the doc comment in tools.py seems to be a >> very good explanation. >> (I've done some other reading on JWT -- Niphlod posted the link to the >> RFC, for instance -- and >> know of its use for helping to secure OAuth2.) >> >> I think a couple of other users have posted here that they used it now >> that it's built-in. >> >> /dps >> >> >> >>> On Monday, April 17, 2017 at 10:05:53 PM UTC+2, Dave S wrote: On Monday, April 17, 2017 at 4:18:48 AM UTC-7, Oasis Agano wrote: > > Hello, > Can someone create a web2pyslice explaining how to do it and what to > change in web2py gluon in order to connect an android native app to it. > 4 years later people(e.g: me, my colleagues...) are still facing the > same issue and i think it can be helpful to the community. > Have you looked at using JWT? Documentation is mainly gluon/tools.py, although Niphlod wrote here a little about its use when he coded it a couple of years ago. /dps > On Wednesday, October 15, 2014 at 3:48:02 AM UTC+2, Mark Li wrote: >> >> Hey Mark, >> >> I did finish this, although it's been some time since I've looked >> into the code for the mobile-related stuff. Most of it still makes sense >> to >> me >> >> On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: >>> >>> Did you ever finish this? >>> >>> I implemented something similar. >>> >>> I'd love to collaborate and get a repo up for working with mobile >>> devices with web2py as an app back end. >>> >>> On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: If you mimic the same http traffic that a browser would generate, then of course you will get all the normal web2py functionality such as the session. The web2py session is usually stored in the database which means it can store a large amount of data without the size limits of cookie storage. And it will persist between requests. [...] >>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Returning a token for Android app authentication
The only challenge im facing is the needed customization on the W2P side to allow the the app to login, and the route to use inside the mobile app to pass the login credentials. If someone can share a segment of the code it can be helpful. Thanks. Oasis On Tuesday, April 18, 2017 at 12:25:38 AM UTC+2, Dave S wrote: > > > > On Monday, April 17, 2017 at 1:16:49 PM UTC-7, Oasis Agano wrote: >> >> You mean that it doesnt require modifying core Web2py code? or adding >> other codes inside your controller? because what i want is actually logging >> in and storing a token returned by w2p. >> >> > It is already part of web2py core, in all 2.14.x versions (and maybe some > 2.13.y versions). > I haven't actually used it, but the doc comment in tools.py seems to be a > very good explanation. > (I've done some other reading on JWT -- Niphlod posted the link to the > RFC, for instance -- and > know of its use for helping to secure OAuth2.) > > I think a couple of other users have posted here that they used it now > that it's built-in. > > /dps > > > >> On Monday, April 17, 2017 at 10:05:53 PM UTC+2, Dave S wrote: >>> >>> >>> >>> On Monday, April 17, 2017 at 4:18:48 AM UTC-7, Oasis Agano wrote: Hello, Can someone create a web2pyslice explaining how to do it and what to change in web2py gluon in order to connect an android native app to it. 4 years later people(e.g: me, my colleagues...) are still facing the same issue and i think it can be helpful to the community. >>> >>> Have you looked at using JWT? Documentation is mainly gluon/tools.py, >>> although Niphlod wrote here a little about its use when he coded it a >>> couple of years ago. >>> >>> /dps >>> >>> >>> On Wednesday, October 15, 2014 at 3:48:02 AM UTC+2, Mark Li wrote: > > Hey Mark, > > I did finish this, although it's been some time since I've looked into > the code for the mobile-related stuff. Most of it still makes sense to me > > On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: >> >> Did you ever finish this? >> >> I implemented something similar. >> >> I'd love to collaborate and get a repo up for working with mobile >> devices with web2py as an app back end. >> >> On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: >>> >>> If you mimic the same http traffic that a browser would generate, >>> then of course you will get all the normal web2py functionality such as >>> the >>> session. >>> >>> The web2py session is usually stored in the database which means it >>> can store a large amount of data without the size limits of cookie >>> storage. >>> And it will persist between requests. >>> >>> [...] >>> >> >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Returning a token for Android app authentication
On Monday, April 17, 2017 at 1:16:49 PM UTC-7, Oasis Agano wrote: > > You mean that it doesnt require modifying core Web2py code? or adding > other codes inside your controller? because what i want is actually logging > in and storing a token returned by w2p. > > It is already part of web2py core, in all 2.14.x versions (and maybe some 2.13.y versions). I haven't actually used it, but the doc comment in tools.py seems to be a very good explanation. (I've done some other reading on JWT -- Niphlod posted the link to the RFC, for instance -- and know of its use for helping to secure OAuth2.) I think a couple of other users have posted here that they used it now that it's built-in. /dps > On Monday, April 17, 2017 at 10:05:53 PM UTC+2, Dave S wrote: >> >> >> >> On Monday, April 17, 2017 at 4:18:48 AM UTC-7, Oasis Agano wrote: >>> >>> Hello, >>> Can someone create a web2pyslice explaining how to do it and what to >>> change in web2py gluon in order to connect an android native app to it. >>> 4 years later people(e.g: me, my colleagues...) are still facing the >>> same issue and i think it can be helpful to the community. >>> >> >> Have you looked at using JWT? Documentation is mainly gluon/tools.py, >> although Niphlod wrote here a little about its use when he coded it a >> couple of years ago. >> >> /dps >> >> >> >>> On Wednesday, October 15, 2014 at 3:48:02 AM UTC+2, Mark Li wrote: Hey Mark, I did finish this, although it's been some time since I've looked into the code for the mobile-related stuff. Most of it still makes sense to me On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: > > Did you ever finish this? > > I implemented something similar. > > I'd love to collaborate and get a repo up for working with mobile > devices with web2py as an app back end. > > On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: >> >> If you mimic the same http traffic that a browser would generate, >> then of course you will get all the normal web2py functionality such as >> the >> session. >> >> The web2py session is usually stored in the database which means it >> can store a large amount of data without the size limits of cookie >> storage. >> And it will persist between requests. >> >> [...] >> > >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Returning a token for Android app authentication
You mean that it doesnt require modifying core Web2py code? or adding other codes inside your controller? because what i want is actually logging in and storing a token returned by w2p. On Monday, April 17, 2017 at 10:05:53 PM UTC+2, Dave S wrote: > > > > On Monday, April 17, 2017 at 4:18:48 AM UTC-7, Oasis Agano wrote: >> >> Hello, >> Can someone create a web2pyslice explaining how to do it and what to >> change in web2py gluon in order to connect an android native app to it. >> 4 years later people(e.g: me, my colleagues...) are still facing the same >> issue and i think it can be helpful to the community. >> > > Have you looked at using JWT? Documentation is mainly gluon/tools.py, > although Niphlod wrote here a little about its use when he coded it a > couple of years ago. > > /dps > > > >> On Wednesday, October 15, 2014 at 3:48:02 AM UTC+2, Mark Li wrote: >>> >>> Hey Mark, >>> >>> I did finish this, although it's been some time since I've looked into >>> the code for the mobile-related stuff. Most of it still makes sense to me >>> >>> On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: Did you ever finish this? I implemented something similar. I'd love to collaborate and get a repo up for working with mobile devices with web2py as an app back end. On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: > > If you mimic the same http traffic that a browser would generate, then > of course you will get all the normal web2py functionality such as the > session. > > The web2py session is usually stored in the database which means it > can store a large amount of data without the size limits of cookie > storage. > And it will persist between requests. > > [...] > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Returning a token for Android app authentication
On Monday, April 17, 2017 at 4:18:48 AM UTC-7, Oasis Agano wrote: > > Hello, > Can someone create a web2pyslice explaining how to do it and what to > change in web2py gluon in order to connect an android native app to it. > 4 years later people(e.g: me, my colleagues...) are still facing the same > issue and i think it can be helpful to the community. > Have you looked at using JWT? Documentation is mainly gluon/tools.py, although Niphlod wrote here a little about its use when he coded it a couple of years ago. /dps > On Wednesday, October 15, 2014 at 3:48:02 AM UTC+2, Mark Li wrote: >> >> Hey Mark, >> >> I did finish this, although it's been some time since I've looked into >> the code for the mobile-related stuff. Most of it still makes sense to me >> >> On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: >>> >>> Did you ever finish this? >>> >>> I implemented something similar. >>> >>> I'd love to collaborate and get a repo up for working with mobile >>> devices with web2py as an app back end. >>> >>> On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: If you mimic the same http traffic that a browser would generate, then of course you will get all the normal web2py functionality such as the session. The web2py session is usually stored in the database which means it can store a large amount of data without the size limits of cookie storage. And it will persist between requests. [...] >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Returning a token for Android app authentication
Hello, Can someone create a web2pyslice explaining how to do it and what to change in web2py gluon in order to connect an android native app to it. 4 years later people(e.g: me, my colleagues...) are still facing the same issue and i think it can be helpful to the community. kr, Oasis On Wednesday, October 15, 2014 at 3:48:02 AM UTC+2, Mark Li wrote: > > Hey Mark, > > I did finish this, although it's been some time since I've looked into the > code for the mobile-related stuff. Most of it still makes sense to me > > On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: >> >> Did you ever finish this? >> >> I implemented something similar. >> >> I'd love to collaborate and get a repo up for working with mobile devices >> with web2py as an app back end. >> >> On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: >>> >>> If you mimic the same http traffic that a browser would generate, then >>> of course you will get all the normal web2py functionality such as the >>> session. >>> >>> The web2py session is usually stored in the database which means it can >>> store a large amount of data without the size limits of cookie storage. And >>> it will persist between requests. >>> >>> On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: Would it be necessary to connect to the same web2py session? To my understanding, connecting to the same session would be necessary if the session contained Auth information indicating whether or not a user was logged in. However, using auth.login_bare(), I only return a token on login success, and the Auth information is never stored in session. Only the token would be used to check whether or not a user was authenticated, as this info is not stored in session. The login/authentication from Android would only be used for API calls, and not for browsing the site. In the 'tokens' table, there would be information about the user that would be similar to the Auth info stored in session. When the token is passed to web2py, it would return the same information that would normally be stored in session about the user. Thanks again for your help and checking my logic, I'm still pretty new to this! On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: > > But are you reconnecting to the same web2py session on each request? > > On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: >> >> I reviewed your code again and looked into the source code for web2py >> to see how web2py deals with session login cookies. >> >> For what I want to accomplish, I believe I have found a method which >> does not involved changing web2py source code. It's simpler and more >> straight forward for me to wrap my head around (also not having to worry >> about storing cookies in the app). Please let me know if there's >> anything >> important I am missing or security flaws that I should consider. >> >> >> 1. Embed webview into native Android app, using auth.login_bare to >> authenticate. >> 2. On login success, return a token of similar format to web2py's >> session cookies. >> 3. Store this token in the database (in a table named 'tokens'), and >> send back to Android app as a cookie >> 4. For every request to my web service that requires authentication, >> send the token as a cookie and have the receiving API controller >> function >> extract the cookie/token. If the token is currently in the db.tokens, >> then >> the user has been authenticated and the request returns the appropriate >> data. >> 5. On logout/password change, delete the issued tokens for this user >> from db.tokens, so the same token can't be used to authenticate for >> future >> api calls. >> >> On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: >>> >>> I was not precisely calling from a native Android or native IOS app. >>> I was using a PhoneGap client, which is different. It is looks like >>> a web browser but is not a browser client. >>> PhoneGap can only use HTML5 storage unless you write a native >>> Android / IOS PhoneGap extension/plugin. >>> So my technique will work from almost any client platform, even from >>> a Windows native client app for example >>> as long as it uses HTTP. >>> >>> Also, in my tracing of how web2py handles the client connection, I >>> believe I found a few wrinkles in the sequence of events >>> which needed to be handled specially in this case where the client >>> is not a web browser. >>> >>> In your particular case, if you have cookies in the native client, >>> then that is one less problem to solve, >>> You probably just have to mimic the HTTP messages that a browser >>> would send. >>> >>> On
[web2py] Re: Returning a token for Android app authentication
Hey Mark, I did finish this, although it's been some time since I've looked into the code for the mobile-related stuff. Most of it still makes sense to me On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: Did you ever finish this? I implemented something similar. I'd love to collaborate and get a repo up for working with mobile devices with web2py as an app back end. On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: If you mimic the same http traffic that a browser would generate, then of course you will get all the normal web2py functionality such as the session. The web2py session is usually stored in the database which means it can store a large amount of data without the size limits of cookie storage. And it will persist between requests. On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: Would it be necessary to connect to the same web2py session? To my understanding, connecting to the same session would be necessary if the session contained Auth information indicating whether or not a user was logged in. However, using auth.login_bare(), I only return a token on login success, and the Auth information is never stored in session. Only the token would be used to check whether or not a user was authenticated, as this info is not stored in session. The login/authentication from Android would only be used for API calls, and not for browsing the site. In the 'tokens' table, there would be information about the user that would be similar to the Auth info stored in session. When the token is passed to web2py, it would return the same information that would normally be stored in session about the user. Thanks again for your help and checking my logic, I'm still pretty new to this! On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: But are you reconnecting to the same web2py session on each request? On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On
[web2py] Re: Returning a token for Android app authentication
Did you ever finish this? I implemented something similar. I'd love to collaborate and get a repo up for working with mobile devices with web2py as an app back end. On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: If you mimic the same http traffic that a browser would generate, then of course you will get all the normal web2py functionality such as the session. The web2py session is usually stored in the database which means it can store a large amount of data without the size limits of cookie storage. And it will persist between requests. On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: Would it be necessary to connect to the same web2py session? To my understanding, connecting to the same session would be necessary if the session contained Auth information indicating whether or not a user was logged in. However, using auth.login_bare(), I only return a token on login success, and the Auth information is never stored in session. Only the token would be used to check whether or not a user was authenticated, as this info is not stored in session. The login/authentication from Android would only be used for API calls, and not for browsing the site. In the 'tokens' table, there would be information about the user that would be similar to the Auth info stored in session. When the token is passed to web2py, it would return the same information that would normally be stored in session about the user. Thanks again for your help and checking my logic, I'm still pretty new to this! On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: But are you reconnecting to the same web2py session on each request? On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40
[web2py] Re: Returning a token for Android app authentication
If you mimic the same http traffic that a browser would generate, then of course you will get all the normal web2py functionality such as the session. The web2py session is usually stored in the database which means it can store a large amount of data without the size limits of cookie storage. And it will persist between requests. On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: Would it be necessary to connect to the same web2py session? To my understanding, connecting to the same session would be necessary if the session contained Auth information indicating whether or not a user was logged in. However, using auth.login_bare(), I only return a token on login success, and the Auth information is never stored in session. Only the token would be used to check whether or not a user was authenticated, as this info is not stored in session. The login/authentication from Android would only be used for API calls, and not for browsing the site. In the 'tokens' table, there would be information about the user that would be similar to the Auth info stored in session. When the token is passed to web2py, it would return the same information that would normally be stored in session about the user. Thanks again for your help and checking my logic, I'm still pretty new to this! On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: But are you reconnecting to the same web2py session on each request? On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of
[web2py] Re: Returning a token for Android app authentication
Would it be necessary to connect to the same web2py session? To my understanding, connecting to the same session would be necessary if the session contained Auth information indicating whether or not a user was logged in. However, using auth.login_bare(), I only return a token on login success, and the Auth information is never stored in session. Only the token would be used to check whether or not a user was authenticated, as this info is not stored in session. The login/authentication from Android would only be used for API calls, and not for browsing the site. In the 'tokens' table, there would be information about the user that would be similar to the Auth info stored in session. When the token is passed to web2py, it would return the same information that would normally be stored in session about the user. Thanks again for your help and checking my logic, I'm still pretty new to this! On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: But are you reconnecting to the same web2py session on each request? On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a
[web2py] Re: Returning a token for Android app authentication
I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
[web2py] Re: Returning a token for Android app authentication
But are you reconnecting to the same web2py session on each request? On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
Re: [web2py] Re: Returning a token for Android app authentication
On Fri, Jan 4, 2013 at 2:57 PM, dlypka dly...@gmail.com wrote: But are you reconnecting to the same web2py session on each request? That's how OAuth Providers work (for the most part) Would be good if we could create an OAuth Provider in web2py though… On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: I reviewed your code again and looked into the source code for web2py to see how web2py deals with session login cookies. For what I want to accomplish, I believe I have found a method which does not involved changing web2py source code. It's simpler and more straight forward for me to wrap my head around (also not having to worry about storing cookies in the app). Please let me know if there's anything important I am missing or security flaws that I should consider. 1. Embed webview into native Android app, using auth.login_bare to authenticate. 2. On login success, return a token of similar format to web2py's session cookies. 3. Store this token in the database (in a table named 'tokens'), and send back to Android app as a cookie 4. For every request to my web service that requires authentication, send the token as a cookie and have the receiving API controller function extract the cookie/token. If the token is currently in the db.tokens, then the user has been authenticated and the request returns the appropriate data. 5. On logout/password change, delete the issued tokens for this user from db.tokens, so the same token can't be used to authenticate for future api calls. On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/**forum/?fromgroups=#!topic/** web2py/YVYQHRJmcoshttps://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/**accounts/docs/MobileAppshttps://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/** questions/7358715/**authentication-model-for-**android-applicationhttp://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. -- --
[web2py] Re: Returning a token for Android app authentication
Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
[web2py] Re: Returning a token for Android app authentication
Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
[web2py] Re: Returning a token for Android app authentication
:-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
[web2py] Re: Returning a token for Android app authentication
Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
[web2py] Re: Returning a token for Android app authentication
I was not precisely calling from a native Android or native IOS app. I was using a PhoneGap client, which is different. It is looks like a web browser but is not a browser client. PhoneGap can only use HTML5 storage unless you write a native Android / IOS PhoneGap extension/plugin. So my technique will work from almost any client platform, even from a Windows native client app for example as long as it uses HTTP. Also, in my tracing of how web2py handles the client connection, I believe I found a few wrinkles in the sequence of events which needed to be handled specially in this case where the client is not a web browser. In your particular case, if you have cookies in the native client, then that is one less problem to solve, You probably just have to mimic the HTTP messages that a browser would send. On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: Thanks for the responses, and Happy New Years to you guys too! dlypka, for your cookieless solution, it assumes that the client app can't store/extract tokens? In the Google Android link above, it says that both Android and iOS can read and extract the tokens/cookies. So when the Android app calls the Web2py app, wouldn't it just pass in the cookie/token and have Web2py verify it as it Web2py normally verifies session login cookies? On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: :-) On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: Yes it is my New Year's Resolution to make time to put it in a Slice. On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro wrote: Perhaps this should go in a web2pyslice? On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --
[web2py] Re: Returning a token for Android app authentication
I developed a solution for this. I posted it here: https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos Happy New Year! On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: I am currently trying to authenticate users on an Android app to my Web2py application. I am not comfortable implementing this on my own without some guidance/advice, as I'm worried about the security of the login information becoming jeopardized. I am following the guideline for authentication outlined by Google here: https://developers.google.com/accounts/docs/MobileApps Another outline of what how I'm trying to accomplish Authentication outlined here: http://stackoverflow.com/questions/7358715/authentication-model-for-android-application The first step, and my question, is how I would generate a token to return to the Android app after the user has successfully logged in. It is suggested that this token be in the same format to what Web2py uses for session login cookies, except with a 'mobile' flag indicating the token can only be used for API calls, and doesn't have the short lifespan of a browser session. Any help would be greatly appreciated, as I haven't read too much about authentication to web2py from an Android app. --