This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to maintain user logged in (single login) [link auth with machine + client ?]

Posted on 05-25-2021 12:17 PM
mayrabueno
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I have an client who wants to maintain the user logged in after one time log-in. It will be both an mobile and web application.

I created a oauth flow (JWT) that stores in kvm the user's client_id with their token, so next time that client_id is sent in I'll check if it exists in the kvm and use the token automatically.

A Google expert recommended I add an machine "fingerprint" to associate the user's token+client_id with the machine (so the app will one request another login if they change machine). I couldn't find a way, through Apigee, to get an MAC Address.

Is this possible to do with Apigee only or do I necessarily need to add an identity provider framework, please?

Thanks in advance.

0 5 151
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I just wanted to share idea, instead of KVM why don't you store that in cache. That should be an easy option

Posted on --/--/---- --:-- AM
mayrabueno
Bronze 1
Bronze 1
In response to
Reply posted on --/--/---- --:-- AM

Because cache expires. The idea is to keep the user logged everytime they came back to access the app. It's like Uber or iFood, you only log-in once.

Thank you though.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to mayrabueno
Reply posted on --/--/---- --:-- AM

Even oauth token also expires. If you don't want it to expire then oauth is not the right choice. You can use api key verification in this case.

0 Likes

Posted on --/--/---- --:-- AM
dknezic
Staff
Reply posted on --/--/---- --:-- AM

I'm not sure that storing the token in KVM and reusing it is providing value here. Neither is there a way to fingerprint a machine, if you're trying to address some MITM attack, then I'm assuming someone who has access to the token, can also get to the arbitrary "fingerprint" that's generated and sent in the request?

Api key verification doesn't provide any security.

For phone app use case, may be worth considering using some device storage, along with encryption of the token, and let the user use a standard auth/oidc flow. For web app, be careful of storing tokens in session storage for example, as this could be retrieved via script, look for a cookie based solution. There may be others with better solutions on this

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Another way is to maintain the cookies to continue the session. make it like once the user is successfully logged in a particular cookie will be generate in which oauth token and the clientip will be appended. In the subsequent calls that cookie will be passed by the consumer app, so that apigee will validate that, if the same cookie is in the request first it will validate the client ip is same as the requester ip. Also it will validate the oauthtoken. This will everytime do the validation but user will not required to enter credentials again.

Top Solution Authors
View all