HTTP API Authentication
To gain access to protected HTTP API endpoints, the application using the Nevis SDK has to be authenticated. To achieve this, the mobile application must intercept HTTP communication.
The following figure outlines the HTTP API authentication sequence in a simplified manner:
HTTP authentication used in the Client SDK is similar to HTTP basic authentication.
The HTTP authentication process consists of the following steps:
- The application tries to access a protected HTTP API endpoint.
- The backend is expected to respond with
HTTP 401 UNAUTHORIZED.
- HTTP requests with this HTTP error code must be intercepted by the application.
- After intercepting this type of request, the Client SDK has to be called to start an authentication operation.
- The Client SDK then executes the authentication operation against the Nevis Mobile Authentication backend.
- As result of the authentication operation, authorization tokens are returned to the SDK.
- The SDK returns the authorization token inside an
AuthorizationProviderobject to the application.
- The authorization tokens (Cookies or JWT tokens) contained in the
AuthorizationProvidermust be used by the application for executing authenticated calls against a relying party HTTP API backend.
If the authentication interaction with the user takes too long (3 minutes), the operation times out and the request fails.
For cookie-based session tracking, it is assumed that the cookie returned with the
Set-Cookie header can be used for several HTTP requests.
In case the nevisProxy configuration uses a
SecurityRoleFilter, ensure that the
RenewIdentififcation is set to none - dynamic cookies are currently not supported.
This is a restriction for cookie-based authentication, which will potentially be lifted in future SDK versions.