I'd like to know the mechanism for storing a secret key on a mobile application for session authentication. I have a Tornado webserver that will use third party external services to authenticate users with E.g. Facebook or Google. I'm familiar with storing cookies using the set_secure_cookie when using a browser. However what if a mobile application is now connecting and doing the authentication. What mechanism would I use to store a secret like a secure cookie for future session authentication? The below shows the code for validating a user:
class GoogleOAuth2LoginHandler(tornado.web.RequestHandler,
tornado.auth.GoogleOAuth2Mixin):
async def get(self):
if self.get_argument('code', False):
user = await self.get_authenticated_user(
redirect_uri='http://your.site.com/auth/google',
code=self.get_argument('code'))
# Save the user with e.g. set_secure_cookie
else:
await self.authorize_redirect(
redirect_uri='http://your.site.com/auth/google',
client_id=self.settings['google_oauth']['key'],
scope=['profile', 'email'],
response_type='code',
extra_params={'approval_prompt': 'auto'})
How would this be modified for a mobile application that doesn't rely on a browser and cookie support?
In iOS, there is an API in the NSHTTPCookie class where you can save the entire http response string. The code will be something like below to create a cookie.
if let requestUrl = url {
let httpCookies = HTTPCookie.cookies(withResponseHeaderFields: response.allHeaderFields as! [String : String], for: requestUrl)
}
Then you can save the cookie,
HTTPCookieStorage.shared.setCookies(httpCookie, for: url, mainDocumentURL: url)
You can also access this cookie and set it to the WebView if needed.