I have doubts about what the correct schema should be for the next technical solution. I need to authenticate a user in a mobile application by reading a QR code, the user being previously authenticated in a web application.
The use case consists in that the user uses a web application located in an intranet, but needs to be able to upload images from a mobile device that will be connected to the internet. The mobile application will consume a public API exposed on the internet through a API Gateway. The API Gateway will connect to the backend to upload the images. As a requirement, when the user needs to use the mobile device to capture and upload images, they should not authenticate again, since they have an open session in the web application, and simply use a QR code to authenticate the device. Logically the QR will not use the user's credentials.
My idea is to make use of Oauth 2.0 with the following flow to authenticate mobile device:
My question is whether it is the correct scheme, or there is another standard solution.
Thanks!!
Authenticating with these badges is a simple process that starts with a user clicking a “Scan QR Code” button on the RapidIdentity login page, which then activates the user's computer camera. The user then holds the badge to the camera to authenticate.
When logging in to a site, the web server sends the PC browser a QR code that encodes a cryptographic challenge; the user takes a picture of the QR code with his cell phone camera which re- sults in a cryptographic response sent to the server; the web server then logs the PC browser in.
On your compatible Android phone or tablet, open the built-in camera app. Point the camera at the QR code. Tap the banner that appears on your Android phone or tablet. Follow the instructions on the screen to finish signing in.
Your scheme will work BUT it's not reaching its fullest security potential considering the fact that you can transfer a new generated authorization token from an already authorized device directly to another one(via QR code read by camera); this fact would make step 3 and 4 an unnecessary vulnerability(it's also a redundancy,there already is a token!, why get another one?);
The following alternative along with good cryptography can make the later authorized device connection almost impossible to intrude.the idea is that by adding a symmetric encryption layer before sending the data in step 5 and using a key which is exchanged over another medium(the already authorized device and server) the encrypted data can never be exposed;
step 3 replacement: read the authorization token;
step 4 replacement: check the secure hash derivation of the authorization token(instead of the token itself) with the server to see if its valid;
token0=read_auth_token_from_camera()
public_token=hash_function(token0) //the useless exposed token
if(check_token_with_server_for_authenticity(public_token)==true)
continue_to_step_5() //it's authorized
else
handle_the_scenario()
step 5 replacement: encrypt your request and authorization token with another hash derivation of the authorization token then make calls to the server API;
token2=another_hash_function(token0)
request="i am top secret data"
encryption_key=token0
encrypted_request=encryption_function( token2 + request , encryption_key)
send_to_server( public_token+encrypted_request)
//notice that token2 is unknown to the intruder because its encrypted,but it is known to the server; hence the authenticity of each request can be checked by the server;
how it is more secure: in this alternative way the actual authorization token is never really exchanged between the server and the new client; So if an intruder could hypothetically break the SSl/TLS layer and capture the public token, the intruder won't be able to send any requests on your behalf or modify the data in requests;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With