Search Mailing List Archives
iPhone App and WebAuth
eagle at windlord.stanford.edu
Sat Sep 17 13:49:55 PDT 2011
Aaron Masao Nagao <anagao at stanford.edu> writes:
> I'm writing a native iPhone app, using a developer framework that allows
> camera. I would like to use WebAuth to authenticate its users, as its
> intended audience is solely Stanford undergraduates (signing up for
> mailing lists at the Activities Fair).
I'm afraid there is no way to do specifically what you've described with
WebAuth, and it's not something that we want to support. WebAuth is not a
generalized authentication system. It's an authentication system
specifically to protect web content and should not be used as a substitute
for implementing real authentication in an application that isn't
retrieving web content.
But, more fundamentally, there's something here about your security model
that I don't understand. If the user already has the application, and the
application doesn't talk to any external resource like a web site, what's
the point of doing any authentication? It sounds like you're trying to
use the authentication system to prevent people from using an application
they already have, which seems fundamentally backwards. The
authentication should instead be applied at the resource that the
application itself talks to (presumably it must talk to *something*
outside of the iPhone or there would be no point in it).
In other words, why is the app not just sending the user to a web site
protected by WebAuth where they will then be prompted to authenticate like
they would be authenticated to any other web site?
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
More information about the webauth-info