[aerogear-dev] iOS Basic/Digest Thoughts

Matthias Wessendorf matzew at apache.org
Wed May 29 05:13:12 EDT 2013


On Wed, May 29, 2013 at 10:20 AM, Christos Vasilakis <cvasilak at gmail.com>wrote:

> Hi,
>
> iOS platform provides built-in implementations for authenticating against
> HTTP endpoints that support Basic / Digest authentication (among others).
> The workflow when iOS tries to authenticate against those endpoints is
> basically:
>
> a) A credential storage singleton object<https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSURLCredentialStorage_Class/Reference/Reference.html> provided
> by the system is consulted for authentication credentials. If credentials
> are found, the system proceeds with authentication. Understandably for this
> to work, the developer has to initially push the credentials to the system
> object (and remove when done).
>
> b) If credentials are NOT found, the system tries to call the delegate
> method e.g. 'connection:didReceiveAuthenticationChallenge<http://developer.apple.com/library/mac/documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html#//apple_ref/occ/intfm/NSURLConnectionDelegate/connection:didReceiveAuthenticationChallenge:>',
> giving a chance for the user to provide the credentials, by calling the
> appropriate methods on the authentication challenge object passed in.
>
> AeroGear library,  currently has a notion of pluggable authentication
> modules providing an interface for clients to implement  'login', and
> 'logout' methods, depending on the authentication scenarios that they try
> to support. This fits nicely with singleton credential storage approach, in
> the sense when doing 'login' and 'logout', we simply edit the credential
> storage adding or removing credentials appropriately. A branch for this
> work can be found here<https://github.com/cvasilak/aerogear-ios/tree/basic.digest.auth>.
> For usage, have a look at our integration test<https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.auth/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m>
>
> For testing purposes, another branch<https://github.com/cvasilak/aerogear-ios/tree/basic.digest.nsurlcredential> was
> created, this time letting the user to directly pass<https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.nsurlcredential/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m#L50>
>  an NSURLCredential<http://developer.apple.com/library/ios/#Documentation/Cocoa/Reference/Foundation/Classes/NSURLCredential_Class/Reference/Reference.html> object
> initialised with the username/password combination during the Pipe
> configuration. Those credentials are internally stored and given back to
> the system by implementing the necessary callback <https://github.com/cvasilak/aerogear-ios/blob/basic.digest.nsurlcredential/AeroGear-iOS/AeroGear-iOS/core/AGHttpClient.m#L240>.
> A usage example can be found in our  integration test<https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.nsurlcredential/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m>
>
> advantages of using the singleton approach:
> - fits nicely with the authentication mechanism we have in place (as an
> extension HTTPBasicDigestAuthenticationModule<https://github.com/cvasilak/aerogear-ios/blob/basic.digest.auth/AeroGear-iOS/AeroGear-iOS/security/AGHttpBasicDigestAuthentication.m>)
> so user familiarity when looking to add basic/digest support to the Pipe.
> - we control the credential type e.g.
> 'NSURLCredentialPersistenceForSession'. This eliminates errors of using
> 'NSURLCredentialPersistencePermanent' and having the user to explicitly
> clear the keychain when trying to login with a different combination. For
> my search, many errors occurs because of this.
>
> disadvantages of using the singleton approach:
> - not sure if many iOS dev will like the fact of creating an Authenticator
> object instead of using directly an NSURLCredential object that are used to.
>
> ---
> advantages of using the 'nsurlcredential' directly:
> - users familiarity with the object.
> - not explicit login logout request.
>
> disadvantages of using the 'nsurlcredential' directly:
> - error credential type can lead to errors.
>
> With discussions with Matthias, we are more keen in following the
> HTTPBasicDigestAuthenticationModule<https://github.com/cvasilak/aerogear-ios/blob/basic.digest.auth/AeroGear-iOS/AeroGear-iOS/security/AGHttpBasicDigestAuthentication.m> approach
> instead of providing the NSURLCredential<http://developer.apple.com/library/ios/#Documentation/Cocoa/Reference/Foundation/Classes/NSURLCredential_Class/Reference/Reference.html> configuration
> option on the Pipe. Surely enough, in the documentation we will explicitly
> state that "login"/ "logout" methods,  serve as a mean to setup internally
> the iOS authentication system so users don't have too (instead of calling
> remote endpoints)
>


While the "NSURLCredential" better fits the meanings of BASIC/DIGEST (no
explicit login/logout against a server), however that will cause all sorts
of issues, since the APP_DEVELOPER is reponsible for providing
the NSURLCredential; If we uses a _permanent_ storage, all sorts of errors
may occur (like Christos was already indicating).


I (currently) like the "auth_module" approach better. However, as Christos
mentioned, we need to state (in API docs) that login/logout is JUST
applying/removing the credentials. The doc needs to say that on LOGIN (for
instance) no request is hit against the server.


-Matthias





>
> Wdyt?
>
> Thanks,
> Christos
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130529/ea6d22cf/attachment.html 


More information about the aerogear-dev mailing list