Jump to content


OpenID Logon for mobile application

OpenId Logon

  • Please log in to reply
7 replies to this topic

Intelligence4 #1 Posted 07 October 2014 - 11:17 AM

    Lance-corporal

  • Player
  • 22372 battles
  • 58
  • Member since:
    05-25-2014

Hi All,

 

I have just started implementing an OpenID process for my WOT mobile app. The difficulty I an currently having is that I am unsure how this process works when its comes to coding. I just want to get at the Access Token but I really do not want the user to be redirected out of my app to a foreign web page - this just looks bad.

 

The options I can think of are:

1. Making the redirect and live with the bad look and feel

2. Somehow automating and hiding the browser interaction

 

None of these options are good.

 

Does anybody have other suggestions and/or code helping me with this matter?

 

Regards,

Intelligence4



Unknown0ne #2 Posted 08 October 2014 - 07:55 PM

    Corporal

  • Beta Tester
  • 0 battles
  • 114
  • Member since:
    07-28-2010

The entire point of the redirection process is to provide a clear indication to the user what information the app is going to have access to, and to provide the option for the user to decide not the allow the app access. "Automating" the interaction, even if it's possible, probably is against the Terms you agree to by using the Wargaming API.

 

I would suggest explaining why you're redirecting the user and accepting that it's something you have to live with if you want to get an access token. Furthermore, I would think most people would have a basic idea of how OpenID works with how widespread it is, so it shouldn't look that "bad" to the average user to be redirected. Even more so when you consider that when logging into the World of Tanks website, it redirects you to the Wargaming.net website to actually enter your credentials. 



Intelligence4 #3 Posted 23 October 2014 - 12:46 AM

    Lance-corporal

  • Player
  • 22372 battles
  • 58
  • Member since:
    05-25-2014

There are a number of applications out there that allow the user to login to access private data (the only data that really makes sense) however there always seems to be this redirection out to Wargaming's OpenId website so that the user can enter his/her details and receive back an access token. The real problem from a design point of view is this "excursion" really destroys an application's user experience wrt the look and feel of the application. However the access token is the final goal of this process albeit not very secure.

 

What I was wondering was - would it be able to "hide" this excursion by allowing the design to prompt for the user name and password itself - after all I only need an access token back. If this s not possible I was wondering if anybody had some code examples that showed how to accomplish the token return using the current WebAPI/Rest interface that Wargaming support. I should think that the authentication call returns some HTML page as a string and that string is used to populate a browser control of some sort. Where I am unclear is how do I finally end up with my access token.

 

Any help in this matter would be much appreciated - especially if it take the form of some code snippets :-)

 

Regards,

Intelligence4



Unknown0ne #4 Posted 23 October 2014 - 05:03 AM

    Corporal

  • Beta Tester
  • 0 battles
  • 114
  • Member since:
    07-28-2010

With regards to prompting for a password:

 

Block Quote

No modifications should be created requesting or otherwise receiving the payer’s email address and/or password in Wargaming.net Games. The user can only log in using a Wargaming.net ID.

 

 

From: http://eu.wargaming....on/rules/rules/

 

 

As to how you end up with the access token, I honestly don't know how mobile apps work, but indications are you need to have the client be redirected back from Wargaming.net to get the token. If you have a "client" app, it seems you need to direct the user to https://api.worldoft...=&redirect_uri= with the app ID and redirect URI provided. Then the access token, along with some other data is sent back to the redirect URI as parameters. You can also add &nofollow=1 to get a URI back from the API, but you still need to have the user visit it so it seems like a pointless step in your case.

 

It's also worth noting, that if you're relying on the auth for actual authentication (which I don't think you are, but anyway), you'll need to actually verify that the access token is valid (after all anyone can visit the redirect to URI and give fake information) by sending an access token extension request as it, unlike the login request, is a direct communication between your app and the API.

 

 


Edited by Unknown0ne, 23 October 2014 - 05:04 AM.


Intelligence4 #5 Posted 23 October 2014 - 11:05 AM

    Lance-corporal

  • Player
  • 22372 battles
  • 58
  • Member since:
    05-25-2014

I have seen a couple of mobile app using the redirection to Worgaming's OpenId. It is a little cumbersome but if the user is used to being thrown out of the app to logon then being redirected back and is okay with this then fine by me. It is just that my business is in design of UIs and this is something that I like to make sure never happens in the apps that I design - in general it is very bad to do this type of thing.

 

It looks like I will have to do some experimentation within a desktop app to get this working and then see if I can transform it back into the mobile domain - ho hum.

 

As mentioned, if anybody has managed to get this to work and are willing to share the code (especially .Net based code) I would be glad to here from them.

 

Regards,

Intelligence4



PeterPan_NL #6 Posted 21 May 2015 - 05:38 PM

    Lance-corporal

  • Player
  • 22487 battles
  • 56
  • Member since:
    11-01-2014

HI

 

Did you get this working?

I being busy with a clietn app and lookign to get the access token too.

 

Peter



AnubisGott #7 Posted 07 February 2020 - 04:30 PM

    Private

  • Player
  • 38926 battles
  • 3
  • Member since:
    09-29-2011

hello,

 

I am currently developing a World of Tanks Android Mobile App.

 

I want to use the same login mechanism as in the official "World of Tanks Assistant" app.

 

-> Input fields for name, password, (second factor)

 

Can you outline the API calls for that (it is without redirecting)?

 

kind regards



AnNE_DoMini #8 Posted 14 February 2020 - 02:54 PM

    Private

  • Player
  • 0 battles
  • 26
  • Member since:
    03-21-2013

Start from here:

https://developers.wargaming.net/reference/all/wot/auth/login/

Standart oauth flow






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users