Language
Edit (1/1/0001)

## Mobile Apps Authentication Report We implement IdentityServer4 - OpenID Connect and OAuth 2.0. Specifically, we use the Resource Owner Password Credentials (ROPC) flow for our mobile apps, given our trust in the client's security (our mobile app can securely store and send the client ID and secret). This choice also aligns with our goal of providing a seamless user experience within the mobile app, without redirecting users to external web pages for login. To enhance security and minimize user logins, we rely on access tokens and refresh tokens. This approach mitigates potential security risks associated with extended access token lifetimes. We've decided not to use reference tokens and, instead, gone with JWT tokens for improved performance and need to check with the authentication server or store the token in a database. ### Authentication Flow Overview: - **Client:** The mobile app, equipped with a client ID and client secret. - **User:** The mobile app user, identified by a username and password. Getting an access token requires submission user credentials and the client ID and secret. While the client ID and secret are securely stored in the mobile app, users input their credentials directly. Upon successful login, the client receives an access token and a refresh token. The refresh token has 3-month lifetime, subject to extension through token refresh (Sliding lifetime). In contrast, the access token's lifespan is set at a shorter 6 hours. ### Token Lifecycle: - **Access Token:** Valid for 6 hours, granting authorized access to APIs/Pages. - **Refresh Token:** With a 3-month lifespan, extendable through token refresh. To renew access after the expiration of the access token, client may utilize the refresh token, which also extended during the access token refresh. However, should the refresh token remain inactive for 3 months, requiring a refresh, users are prompted to log in again. In essence, the refresh token expires when left unrefreshed for a duration surpassing its 3-month lifespan. ### Summary: 1. User logs in. 2. Authorized access granted for 6 hours. 3. Refresh tokens used to extend access. 4. After 3 months without refresh, user must log in again. ### References: - [IdentityServer4 Documentation](https://identityserver4.readthedocs.io/) - [Auth0 Documentation](https://auth0.com/docs) ### Additional Resources: [Postman Collection](https://documenter.getpostman.com/view/23639078/2s9Ykt5JsF)

In this document