This question is locked. New answers and comments are not allowed.
Guy Provost
Top achievements
Rank 1
Rank 1
Guy Provost
asked on 11 Sep 2014, 12:53 PM
We are using a partner web site to manage log in chores (membership and stuff), so when a user "log in" the app, we show the user a browser (window.open with the "_system" target) in which there's a form where the user can login (kinda like a flow you can see in OAuth).
Now, I think that by using the target _self or _blank, which turns out as using respectively a webview or the inAppBrowser, the developer of the app can "sniff" what's going on that web page by inserting and executing JavaScript in the webview/inAppBrowser. That is the reason why we use _self, this indicates to the app to use the "official" browser of the platform, Safari on iOS and Chrome or whatever comes with Android on an Android platform.
That is all well and nice but when the login chores are done, and that the app is back on view (through a call to the custom scheme we configured for the app), the browser still is at whatever page it landed on when the login process occured. Is there a way to "Close" the current browser page on Safari or Chrome ?
A collateral question to this one would also be, what's the proper way to use a login provider on this mobile platform. A way that would prevent unscrupulous developers to "steal" credentials from the user of the app ? Not that we have a problem with our devs :), I only want to build as safely as I can!
Thanks!
Now, I think that by using the target _self or _blank, which turns out as using respectively a webview or the inAppBrowser, the developer of the app can "sniff" what's going on that web page by inserting and executing JavaScript in the webview/inAppBrowser. That is the reason why we use _self, this indicates to the app to use the "official" browser of the platform, Safari on iOS and Chrome or whatever comes with Android on an Android platform.
That is all well and nice but when the login chores are done, and that the app is back on view (through a call to the custom scheme we configured for the app), the browser still is at whatever page it landed on when the login process occured. Is there a way to "Close" the current browser page on Safari or Chrome ?
A collateral question to this one would also be, what's the proper way to use a login provider on this mobile platform. A way that would prevent unscrupulous developers to "steal" credentials from the user of the app ? Not that we have a problem with our devs :), I only want to build as safely as I can!
Thanks!
1 Answer, 1 is accepted
0
Hello Guy,
You can close the instance of the browser by calling the ref.close() method where ref is the reference to the current browser instance. You can further explore the InAppBrowser API here. Note that a _self target will open a domain from the white-listed in the official browser, or in the InAppBrowser if the domain is not in the white-listed. More on whitelisting in Cordova you can read here.
Most of the times you will subscribe to the 'loadstop' or 'loadstart' events of the browser and obtain the access token for the user from the response. When this is completed you can call the ref.close() method.
Securing further the oAuth flow depends on the version of the oAuth framework your authentication management is implementing. oAuth 2.0 is regarded as relatively more secure for client-side JavaScript authentication.
Furthermore, you may consider to implement a login process with a token-based authentication where the user exchanges here username and password for a token from an authentication API. Probably the API you are currently using has a REST endpoint for authentication and you can call it directly from your app. Needless to say that you should call the server over SSL/TLS. For further security you may consider to use the SSL certificate checker plugin from the Telerik Verified Plugins Marketplace.
Let me know if you have further questions.
Regards,
Anton Dobrev
Telerik
You can close the instance of the browser by calling the ref.close() method where ref is the reference to the current browser instance. You can further explore the InAppBrowser API here. Note that a _self target will open a domain from the white-listed in the official browser, or in the InAppBrowser if the domain is not in the white-listed. More on whitelisting in Cordova you can read here.
Most of the times you will subscribe to the 'loadstop' or 'loadstart' events of the browser and obtain the access token for the user from the response. When this is completed you can call the ref.close() method.
Securing further the oAuth flow depends on the version of the oAuth framework your authentication management is implementing. oAuth 2.0 is regarded as relatively more secure for client-side JavaScript authentication.
Furthermore, you may consider to implement a login process with a token-based authentication where the user exchanges here username and password for a token from an authentication API. Probably the API you are currently using has a REST endpoint for authentication and you can call it directly from your app. Needless to say that you should call the server over SSL/TLS. For further security you may consider to use the SSL certificate checker plugin from the Telerik Verified Plugins Marketplace.
Let me know if you have further questions.
Regards,
Anton Dobrev
Telerik
Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.