locked
Offline authenticated user

    Question

  • Hi everyone,

    I'm currently building an app that uses both offline (SQLite) and online (MSSQL via RESTful API) storage.

    The first time a user launches the app, he's prompted to create an account (internet connection needed).

    He will be authenticated with his credentials and will receive a token. (thinking about OAuth2)

    User inputs are stored both online (when the user is connected) and offline.

    My question is: how does an authenticated user access the app without an internet connection ?

    Should I store the last authenticated user on this device and let him access the SQLite DB ?

    Thanks you for your time.

    Tuesday, June 10, 2014 2:26 PM

Answers

  • I can't help with Android. On Windows you can have multiple accounts on the same device. Adam cannot see Beth's data and vice versa.

    You can enable multiple accounts within your app, but that's just for the local user's convenience. It will let Adam differentiate between his two accounts, but if Beth uses Adam's account then the local files are still Adam's.

    The normal to handle this is to show the last "account" but let the user choose to switch to others as desired.

    --Rob

    Monday, June 16, 2014 3:27 PM
    Owner

All replies

  • Do you need to authenticate for the local user? The user will already have had to log in to the local machine. In most cases I'd leave that as sufficient identity for the local database, and I'd generally cache the credentials for the web service so the user doesn't have to constantly log in there.

    --Rob

    Tuesday, June 10, 2014 9:23 PM
    Owner
  • First of all, thank you Rob for you answer.

    I don't need(/wish) to authenticate for the local user as any user should be able to connect to his account on someone else's device, like Facebook or Evernote.

    Concerning the credentials, the token based authentication should allow me to not store any user credentials on the local device as I consider this a security issue. This will allow a transparent online user authentication.

    What bothers me is the offline authentication/recognition of the last authenticated user on the local device.

    Typically, the authentication should be like this:

    1) The user need a connection to authenticate the first time and will use his credentials

    2) The server will accept and send back a token which will be stored locally

    3) User input will be stored on the server and locally

    The user closes the app

    1) The user comes back to the app with an internet connection

    2) His token is still valid, the server accepts his requests

    3) User input will be stored on the server and locally

    The user closes the app

    1) The user comes back without an internet connection

    2) The app recognize the user

    3) User input will be stored locally

    4) When the user reconnect and his token is still valid, the local DB will sync with the remote one and send the user input

    I hope this is clear enough. Let me know if you need an other information.

    --Fx

    PS: I'm using a Windows Universal App and the client will also be implemented for Android and iOS.

    Tuesday, June 10, 2014 9:41 PM
  • That sounds fairly standard. I'm not sure I understand what you are asking though.

    Thursday, June 12, 2014 4:02 AM
    Owner
  • What I don't understand is how my application should identify the user when there is no internet connection. the 2) in the last part.

    Should it pick the last authenticated user ? Isn't that a security issue ?

    Thursday, June 12, 2014 3:24 PM
  • The app is already running in the context of the currently authenticated user. I'd just go with that. Adding further local authentication won't add security, unless you are encrypting the local database and need the user to provide the encryption key.

    If you want something beyond that it's up to your own design, but it's not really a security system at that point.

    --Rob

    Thursday, June 12, 2014 4:57 PM
    Owner
  • If I understand correctly, you are talking about the current logged user on the local device ? It is something I don't want to use since anybody can log in from a specific device.

    The local database is encrypted but the user doesn't need to provide an encryption key.

    Take Evernote for instance. On my Android device, I had to first log in using an Internet connection and my credentials but I can now type in new notes without connection. How does Evernote knows I am the last authenticated user ? Does it just store it somewhere ?

    Monday, June 16, 2014 1:53 PM
  • I can't help with Android. On Windows you can have multiple accounts on the same device. Adam cannot see Beth's data and vice versa.

    You can enable multiple accounts within your app, but that's just for the local user's convenience. It will let Adam differentiate between his two accounts, but if Beth uses Adam's account then the local files are still Adam's.

    The normal to handle this is to show the last "account" but let the user choose to switch to others as desired.

    --Rob

    Monday, June 16, 2014 3:27 PM
    Owner