Skip to content

Latest commit

 

History

History
240 lines (129 loc) · 6.87 KB

README.md

File metadata and controls

240 lines (129 loc) · 6.87 KB
Raw

Requests with Authentication

Slides

Why you should know this

As the use of the HTTP protocol evolved, so have the efforts of hackers trying to exploit it.

In fact, HTTP is such an insecure protocol that Apple has all but prohibited its use in iOS apps.

Over the last few releases of iOS, Apple has redesigned iOS's networking frameworks to work natively with HTTP's secure counterpart: HTTPS.

https

And the primary difference between HTTPS and HTTP?

  • HTTPS requires Authentication.

Every iOS developer must know how to implement HTTPS-based network calls with some sort of authentication.

Most mobile apps implement some form of user authentication. This logic is performed by a backend service, but it's still an important part of an app's architecture.

Learning Objectives

  1. Make authenticated API requests.
  2. Distinguish between OAUTH and API Key security models.
  3. Design an authentication flow for a mobile app.

Network Authentication for iOS

There can be a variety of options for securing network communications.

Here a two options:

  • OAUTH - Is an "authorization framework that enables third-party applications to obtain limited access to a web service."
  • API Keys

Collaborative activity - 15 min

Let's compare both

How can we authenticate users in a mobile app? 📱

  • Embedded login screen
  • External login screen

Embedded login screens have been the go to option for many years.

❌ Credentials are managed by the app = security issues

✅ No screen-switching or delays when logging in

embedded

External login screens delegate the tasks of authenticating to a different application (FB, Google, Safari, etc.)

❌ Not as seamless

✅ Handling credentials can be made by another entity that's more specialized and secure

embedded

Let's talk about tokens

Modern authentication flows use tokens.

"Tokens are specially crafted pieces of data that carry just information to either authorize the user to perform an action, or allow a client to get additional information about the authorization process (to then complete it)" - Auth0

In other words, clients need to request a token first to then get access to resources.

Types of tokens

  • 🔑 Access Tokens: carry the necessary info to access a resource directly

  • 🔄 Refresh Tokens: carry the information necessary to get a new access token

JWT

A JSON Web token is a common way to represent token information.

  • The data format is JSON.
  • Carries common fields such as subject, issuer, expiration time, etc.

Design an auth flow

Use a flow chart to explain how you would design the authorization flow of a mobile app that uses Access Tokens and Refresh Tokens to get a user's profile information.

Jamboard

Authorization in practice

  • Complete the Moviefy tutorial which will use OAUTH and tokens to authenticate users.

Additional Resources

  1. HTTPS image
  2. OAUTH
  3. Apple Sign in
  4. Auth0 post on Authentication
  5. Auth0 post on Refresh Tokens