Javascript authentication

Question

Javascript authentication

Closed this issue 8 years ago · 6 comments

My use case is accessing a server's login screen via Javascript without an opportunity to inject the username and password from native code. The server returns a token in a roundabout way, via the web with an intent and intent filter. What are the alternatives to:
signInWithPassword(credential.getId(), credential.getPassword());
when I retrieve the Credential?

The logic of my app, which has dynamic and diverse authentication servers, is to come back from a successful login with an API call String that is encrypted on the device for future use. Can I use SmartLock with this use case?

I am trying SmartLock to support devices that do not have Lollipop and later authentication APIs.
Refer to this Stack Overflow

Thanks in advance for any suggestions.

Answer 1 · 2016-12-19T23:26:48.000Z

@emezias sorry I don't completely understand your request. What do you mean by "alternatives to signInWithPassword(credential.getId(), credential.getPassword())"?

Answer 2 · 2016-12-19T23:38:08.000Z

@samtstern The logic in my app is to save an authorization API call when returning to the app for future authentication. At no point in time is there any opportunity to access a native text field for the username and app. That is all done through a web form.

Answer 3 · 2016-12-20T16:21:20.000Z

@emezias sorry there is no way to use the SmartLock Android API to populate a web form, and I don't think there will be support for that in the future. There are too many security concerns with crossing the barrier between Java code and WebView code.

You probably want to take a look at the credential management API for web: https://developers.google.com/web/updates/2016/04/credential-management-api

Answer 4 · 2016-12-20T20:41:21.000Z

@samtstern - the server side is the part that I do not control and cannot change. I may or may not have an administrator with write permission. Is there a way to bypass the username/password and get a token instead from SmartLock?

Answer 5 · 2016-12-22T17:02:21.000Z

@emezias there's nothing special about the password field in SmartLock. You could store a token in there if you wanted to and it will be passed back to your application in the same way.

Answer 6 · 2016-12-23T02:28:49.000Z

@samtstern That will work. There's one more point to consider - protected access might be required. The overview page says:

Alternatively, the user may have to input some additional information (e.g. a pin-
code or password) to retrieve the password

Can you expand on that? Is the library able to use a locally configured pin or password for access to the credential?