HTTP API Authentication

To gain access to protected HTTP API endpoints, the application using the Nevis SDK has to be authenticated. To achieve this, the mobile application must intercept HTTP communication.

The following figure outlines the HTTP API authentication sequence in a simplified manner:

info

HTTP authentication used in the Client SDK is similar to HTTP basic authentication.

The HTTP authentication process consists of the following steps:

1. The application tries to access a protected HTTP API endpoint.
2. The backend is expected to respond with HTTP 401 UNAUTHORIZED.
3. HTTP requests with this HTTP error code must be intercepted by the application.
4. After intercepting this type of request, the Client SDK has to be called to start an authentication operation.
5. The Client SDK then executes the authentication operation against the Nevis Mobile Authentication backend.
6. As result of the authentication operation, authorization tokens are returned to the SDK.
7. The SDK returns the authorization token inside an AuthorizationProvider object to the application.
8. The authorization tokens (Cookies or JWT tokens) contained in the AuthorizationProvider must be used by the application for executing authenticated calls against a relying party HTTP API backend.

Timeout

If the authentication interaction with the user takes too long (3 minutes), the operation times out and the request fails.

Non-dynamic cookies

For cookie-based session tracking, it is assumed that the cookie returned with the Set-Cookie header can be used for several HTTP requests.

In case the nevisProxy configuration uses a SecurityRoleFilter, ensure that the RenewIdentififcation is set to none - dynamic cookies are currently not supported.

This is a restriction for cookie-based authentication, which will potentially be lifted in future SDK versions.