iOS验证到Web服务器

Question

OK. So i need some guidance as I am a total iOS authentication noob.

I have a simple app. Users can login to the app, and send messages to friends. There is a web server and a MySql Database that holds the users and login information.

Question: How do I authenticate a user when he logs in safely and securely ?

I have spent the last several hours hurting my brain on the following authentication stuff i found from google:

1. OAuth 1.0 - is said to be good. But it is a protocol and not a library. Do i have to implement this from scratch? Is this even needed in my case for authentication?
2. OAuth 2.0 - it seems that some sites are using this. I have the same questions for this as version 1.0. I also saw this this message from the library's lead creator literally saying f*** version 2.0 because it was bad for security. But yet so many still use it. Is it dangerous?
3. The creator of 2.0 has now gone on to make a completely other library because of how bad 2.0 was and because of how unscalable 1.0 was. His library is called OZ. Should I be using this for my server?
4. I see AlamoFire/ AFNetworking have basic authentication shown in their documentation. Should i just screw the oAuth stuff and just use theirs?

Being new to the authentication thing, all this is very confusing to me. Can anyone knowledgeable in this provide some guidance?

Answer 1

I am currently in the process of creating a cross-platform application and have spent quite some time researching this!

My approach to the project is using a ASP.NET Web API using OWIN middleware.

This uses bearer tokens to authenticate the user. Using Microsoft.Identity you can limit endpoints down to roles or even individual users (Autherization)

Currently I create a user on the REST API, They log-in at the /token endpoint and then receive a token. This token is then saved to the Apple key chain and can be used to authenticate the user for further requests to the API.

As long as you use SSL this is a secure method and is used widely in many applications.

This approach uses OAuth2 also, so you'll be albe to easily integrate Facebook/Google/etc integration.

Here is a link to the Microsoft Documentation for some further reading on how I did it: http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

Currently this is working perfectly for me for an angular front-end but would work exactly the same in iOS except you may want to save the token to the KeyChain Storage.

Answer 2

We mostly use OAuth 2 creating custom system on iOS to handle the authentication.

Nothing is ever bullet-proof but the 2 token system decreases the chance for stealing credential quite nicely.

The AlamoFire, AFNetworking or any other libraries you amy find have nothing to do with this though. What type of credentials you use depends on your choice or rather the choice of the API. You may use these tools to ease your communication with the API though.

So what the idea behind this is you will try to send your user name and password only once when logging in and then you will receive the two tokens which are further used to communicate. This will decrease a chance for someone to intercept the request with the user name and password which are the ultimate key to get the access to the user data.

Next is "refresh token" which is used to receive a new "access token". This call should be made every few hours or so (controlled by the API). If someone was to steal this token he would be able to use it to get further access for an infinite duration or until the owner chooses to invalidate the refresh tokens (this is what happens when you click "log out from all devices"). So this is still quite bad if someone gets it.

Then there is the "access token" which is used for each and every further request to the server. These tokens have a limited time till they are invalidated so if someone was to intercept it somehow he would have the access to the data for the duration of the token.

So assuming this is the procedure that is done on the backend this is what you need to do:

• If you have the access token and is valid simply use the service
• If you receive the error that the access token is invalid you need to refresh the access token using your refresh token
• If refresh token reports an error you need to navigate back to the login screen
• If the app has no refresh token then simply go to the login screen

There are some other things that are nice to cover such as if the request reports an invalid token you should pend the request, refresh the token and then repeat the call to the pending request. A system around this may be quite large.

This is pretty much it about the tokens and authentication but there are other parts of the communication which increase the security such as using a https secure connection. When talking about security you must take a look into every part of the communication.