Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

iPhone App and WebAuth

Russ Allbery eagle at windlord.stanford.edu
Sat Sep 17 13:49:55 PDT 2011


Aaron Masao Nagao <anagao at stanford.edu> writes:

> I'm writing a native iPhone app, using a developer framework that allows
> me to write the app in HTML/Javascript yet still access the iPhone
> camera. I would like to use WebAuth to authenticate its users, as its
> intended audience is solely Stanford undergraduates (signing up for
> mailing lists at the Activities Fair).

I'm afraid there is no way to do specifically what you've described with
WebAuth, and it's not something that we want to support.  WebAuth is not a
generalized authentication system.  It's an authentication system
specifically to protect web content and should not be used as a substitute
for implementing real authentication in an application that isn't
retrieving web content.

But, more fundamentally, there's something here about your security model
that I don't understand.  If the user already has the application, and the
application doesn't talk to any external resource like a web site, what's
the point of doing any authentication?  It sounds like you're trying to
use the authentication system to prevent people from using an application
they already have, which seems fundamentally backwards.  The
authentication should instead be applied at the resource that the
application itself talks to (presumably it must talk to *something*
outside of the iPhone or there would be no point in it).

In other words, why is the app not just sending the user to a web site
protected by WebAuth where they will then be prompted to authenticate like
they would be authenticated to any other web site?

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University



More information about the webauth-info mailing list