Demo mobile apps and SPA, to demonstrate the nonce authenticator pattern on a development computer.
This provides an additional Single Sign On (SSO) option between mobile and web apps, to prevent a double login.
The following components are called, from a mobile emulator or device.
The SPA and OAuth agent are hosted on the same domain, behind a Docker based reverse proxy.
This ensures that the HTTP-only cookies issued to the SPA are first-party:
Build and deploy the system with the following commands:
./build.sh
./deploy.shTo enable a setup that works on a standalone computer, an ngrok base URL is used:
The internet base URL is: https://c7b9-2-26-158-168.eu.ngrok.ioMobile and web apps running on devices or emulators then have full connectivity, over HTTPS URLs.
Backend components use URLs similar to the following values:
| Component | Internet URL |
|---|---|
| Web Host | https://c7b9-2-26-158-168.eu.ngrok.io/spa |
| OAuth Agent | https://c7b9-2-26-158-168.eu.ngrok.io/oauth-agent |
| Curity Identity Server Runtime URL | https://c7b9-2-26-158-168.eu.ngrok.io |
The Curity Identity Server Admin UI is available at https://localhost:6749/admin.
Sign in with credentials admin / Password1 to inspect the OAuth configuration.
Run the mobile client from Android Studio or Xcode, and an unauthenticated view will be shown:
| Android | iOS |
|---|---|
 |
 |
Click the login button and sign in as demouser / Password1.
| Android | iOS |
|---|---|
 |
 |
The authenticated view will then be presented, to enable navigation to the SPA:
| Android | iOS |
|---|---|
 |
 |
The mobile app posts its ID token to the nonce authenticator in order to get a one-time token.
It then passes the nonce in a query string parameter to the SPA, when loading it in a browser.
The SPA then runs an OpenID Connect redirect that authenticates the user automatically, using the nonce:
| Android | iOS |
|---|---|
 |
 |
See the following resources for further information:
Please visit curity.io for more information about the Curity Identity Server.