It’s important to have a frictionless, secure, and performant authentication system for any app, be it web or mobile. In this lightning talk, Itai Hanski covers the importance of authentication and how the Descope team used PKCE to communicate between their React web app and native mobile SDKs.
This talk has been presented at React Summit 2023, check out the latest edition of this React Conference.
The core problem 'the scoped' faced was how to integrate their web-based authentication and user management service into native applications.
WebViews are UI widgets that run a miniature version of a browser to display web content. They are considered insecure because some authentication methods may not function correctly inside them.
'The scoped' used an embedded browser approach with deep links and the PKCE (Proof-of-Key Code Exchange) protocol to securely integrate web authentication into native apps.
Deep links are URLs that direct users to specific content within a mobile app instead of a browser. They allow mobile applications to handle certain URLs directly.
PKCE, or Proof-of-Key Code Exchange, is a security protocol where the client generates a key (verifier), hashes it (challenge), and sends the challenge to the server. The server responds with an authorization code, and the client uses the original key to complete the exchange, ensuring secure communication.
In 'the scoped's approach, the native app starts the process by generating a verifier and challenge, launches a browser with these parameters, and uses deep links for communication. The React app handles the flow, and the server uses deep links to send authorization codes back to the native app for secure exchange.
Session data can't be sent on the redirect URL because it is insecure. Instead, an exchange protocol like PKCE is used to ensure secure data transfer.
The React app's role is to grab URL parameters and pipe them into the backend server, run the authentication flow, and allow the server to send authorization codes back to the native app using deep links.
Attendees can ask more questions about PKCE or the integration process at the booth right outside the presentation area.
Itay Hansky's talk focuses on communicating between React or web apps and native applications or SDKs.
Hi, everyone. My name is Itay Hansky. I'm from the scope. I want to talk about communicating between React apps or web apps and native applications or SDKs. Have you ever built something nice for the web but wanted to use it in a native app?
Hi, everyone. My name is Itay Hansky. I'm from the scope. And I came to talk a little bit about communicating between React apps or web apps in general and native applications or SDKs. I want to kick things off with a question so you understand where I'm going with this. So have you ever built anything that was for the web, was really nice, but you wanted really to use it inside of a native application? Well, that's exactly what happened to us at the scoped, where we offer authentication and user management as a service. And one of our coolest features is that you can customize your own authentication in our no-code editor including UI and everything, and with a few lines of integration, have a very nice, fully fledged login screen and authentication in your web apps, which is really, really nice, but we didn't want to leave our native application builders behind, so we thought, how can we bring this nice capability to our native builders?
We considered embedding the web code inside a WebView, but WebViews are insecure and some authentication methods won't work. So, we decided to run the browser in an embedded mode, making it feel like part of the application. However, mobile processes are sandboxed, so we can't access data between processes. To solve this, we used deep links to handle certain URLs within the application. We also implemented Pixie, a Proof-of-Key Code Exchange protocol, to securely exchange data between the web code and native applications.
I know some of you will relate. So the next thing we considered was, how about we just take it and embed it inside of our UI using a WebView? For those who don't know, a WebView is basically a UI widget which runs a miniature version of the browser, so we can just have the web code run in there. The problem is that WebViews are considered insecure, and actually, some of our authentication methods will simply not run if they're running inside of WebView.
So we were left with the browser, but fortunately for us, we can run the browser in an embedded mode, which feels for the user a little better. It doesn't feel like you're moving outside of the application when you actually switch to the browser. It feels like it's part of the application, even though technically we're running on a different process.
Okay, great. So we have our solutions set, so I guess all we have to do is launch our embedded browser, Safari or Chrome, and run our flow, and then get the callback somehow into our native code or run some JavaScript or hack into it. Well, unfortunately, mobile processes are completely sandboxed. That means in simple terms that you can't really access data between processes, and that's good news for us users of the mobile phone, because otherwise things would be a mess.
So what can we do? We can start the browser, we can launch it, right? So how would we get something back to the native layer? We can utilize deep links. Deep links is a way for mobile applications to declare that they can handle certain URLs instead of opening it in the browser. Think of the last time you got like a text message with a YouTube link, and when you clicked on it the application opened, right? Not the browser. So it's the same concept here.
Okay, great. So now we have a way to get back into our native code, but we can't simply send the session on the redirect URL because that's completely insecure. We should have some form of exchange protocol in place, and that's where Pixie comes in. Pixie or PKCE is a nice protocol. It stands for Proof-of-Key Code Exchange, and you can implement it any time you need. It's kind of geared toward mobile, but not necessarily so. I'm going to go over the Pixie principles in general just so we understand it, and then I'll show you how we used it to get flows running on our native applications. So, Pixie runs like this. The client generates the code. This is considered a key. It's just a random array of bytes and hashes this key. This hash is where everything starts. This is considered the challenge. This challenge is sent to the server. The communication is base64. But I don't want to focus on it, because it's just an encryption layer, and it's not interesting.
We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career
TechLead Conference 2023
React Summit 2023
JSNation 2023
React Advanced 2023
React Advanced 2023
React Advanced 2022
Node Congress 2024
React Advanced 2022
React Summit 2022
React Summit Remote Edition 2021React Summit Remote Edition 2021
React Summit 2023
Comments