[aerogear-dev] Basic/Digest Auth and JS

Gorkem Ercan gorkem.ercan at gmail.com
Fri May 24 20:06:20 EDT 2013 

This will also put Basic/Digest authentication out of reach for the Cordova
apps as well right?
Can anything be done for Cordova apps? I can see wrapping iOS/Android
implementations as Cordova plugins as one solution but something pure JS
may feel better.
--
Gorkem


--
Gorkem


On Wed, May 22, 2013 at 11:52 AM, Kris Borchers <kris at redhat.com> wrote:

>
> On May 22, 2013, at 10:39 AM, Christos Vasilakis <cvasilak at gmail.com>
> wrote:
>
>
> On May 22, 2013, at 5:43 PM, Summers Pittman <supittma at redhat.com> wrote:
>
> On 05/22/2013 10:12 AM, Kris Borchers wrote:
>
> OK, so I am going to try to spell out the workflow as I see it working in
> JS. I would appreciate any feedback on whether or not this is crazy/wrong.
>
>
>    1. Create Basic or Digest authenticator
>       1. Must include a callback to be fired when a request to auth is
>       received from server
>    2. Create pipe which uses this authenticator
>    3. Attempt read, save or remove on this pipe
>    4. Endpoint returns 401 with header indicating type of auth required
>       1. Need to research that this won't trigger the browser's native
>       Basic/Digest auth handling
>    5. Fire user supplied auth callback passing it a reference to a
>    "login" method that the user will pass the credentials collected in the
>    auth callback
>    6. Use "login" method to construct appropriate response to server's 401
>       1. This is the fun part :-P
>
> In the Android version, login is called by the developer, not by the
> framework.  This "primes" the authenticator which then provides whatever
> tokens/headers/parameters/etc that the pipe will need to authenticate the
> request.
>
>
> same with iOS with an HttpBasic/Digest authentication module. Upon
> 'login', credentials are 'cached' using a build-in system provided object
> (no http request). When a request is made which requires authentication,
> the system checks first to see if credentials exists in its store(which we
> cached earlier with 'login') and if found it authenticates the session.
> Similar, when 'logout' is called, we remove the cached credentials from the
> system.
>
>
> This brings up a good point. If the browser doesn't do the caching for us
> in JS then I am not sure we can pursue this. I do not feel comfortable
> doing any sort of credential caching in JS as that is just asking for
> trouble.
>
>
> for this particular context,  the authentication module mechanism we have,
> fitted nicely in filling the credential information to the system store,
> which uses them for authentication (and hopefully enough
>
>
> Thanks
> Christos
>
>
>
> This may have to be changed in the future to support multiple login flows.
>
>
>    1. Server responds to auth attempt
>       1. Success - continue to process original read, write or remove
>       2. Error - trigger a user supplied auth failure callback
>
>
> Thanks!
>
> On May 22, 2013, at 8:44 AM, Summers Pittman <supittma at redhat.com> wrote:
>
> On 05/21/2013 08:22 AM, Kris Borchers wrote:
>
> So, having seem the plans around Basic and Digest auth for Android and
> iOS, I am wondering if there is any need for that on JS. Typically that is
> handled by the browser and them the server maintains the session so I would
> lean toward not needing anything specific in JS for these types of auth.
> Input welcome.
>
> It may be useful is someone tries to embed it in a Node container or
> write a Windows 8 app, Gnome 3 extension, etc.
>
>
> Kris
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
>
> _______________________________________________
> aerogear-dev mailing listaerogear-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130524/4f84b601/attachment.html

More information about the aerogear-dev mailing list