Offline Authentication/Login in Native Mobile app

Offline Authentication/Login in Native Mobile app

  

Hi,

I need my app allows offline authentication. This is because most of the time de mobile app will work in offline mode, so when it´s online it will synchronize all data on server. I tried with an IF in the Login client action that verifies if it is online or not; if online call DoLogin Server Action, but if offline I'm  trying to match the username and password  with some Username and Password stored in a Local Entity (LocalUser) but I´m not able to do that, because it seems that no data is retrieved even from LocalStorage before Login. I marked all screen as Anonymous but still nothing.


Can anyone help me with this? How can I have both login mode?


Regards

i would recommend you to watch this video, which explains how to do an offline web app from start to finish

https://www.outsystems.com/learn/lesson/1191/create-your-offline-app/

I´ve already watched this video, and no Login or authentication in offline mode has been shown. It's a very good guide, but it doesn't solve my problem. I need a user to logout and the same user or another one logins, all this while offline.  

Solution

You should be able to just check if a user exists in a local storage table and compare it with the information input in your login screen.

What are your issues when you do that?

Solution

That's the problem. No data is retrieved before Login. In the image attached the GetLocalUser is always empty even if there is data in it. When I login online and right after that I configure my phone to be offline, I can list all users from LocalUser anyway.

Maybe my logic in the image is wrong.


Thanks.

Two things: when is that action being called? do you have any filters in the database query?

1- The action is called when I click Login Button on Login Screen (Common->Login)

2- I have a filter by the input username val. But even without a filter, It doesn't get any data from LocalStorage.


Regards.

 

hum. That is very weird. I don't have any trouble retrieving local information precisely in the same spot as you.

Would you mind attaching the oml you're using so I could take a closer look?

After checking step by step, now I can login the way I wanted but just only one more time after i get offline. If I want to login more than once with each user, no data is retrieved anymore.

 

for some reason the oml attachment is "processing upload" since yesterday

Ricardo Silva wrote:

for some reason the oml attachment is "processing upload" since yesterday

I'll try to upload again today


My OML

Hi Daniel and Ricardo.

Did you managed to solve Daniel's question?

Thanks,

Maria

Is there really not a bether way to implement this? Storing account information on the mobile phone itself (local storage) is not a good practice..

Niels Favreau wrote:

Is there really not a bether way to implement this? Storing account information on the mobile phone itself (local storage) is not a good practice..

I think your thought is correct(It is directly against How to create secure Mobile apps). Why would you want to store all the username password in the device?


Are there any alternate options? 

  1.  Use Key Store to store only the current user's credentials in the device after first authentication.[First authentication should be done online ]
  2. Persistent authentication could be something that you can use. After the user gets authenticated once would not need to log in until a specific number of days even if he closes that application.

Hope that helps. I would be happy to create a sample if you are still looking to implement this.


Cheers,

Leo




Hello Niels and Leo.

I'm actually also against this approach, but I was curious to know if there was any other way thought. I won't allow the user to authenticate without an internet connection.

Thanks for your answers, 

Maria

Hello all,

Just small comment on this subject.

OutSystems mobile applications are hybrid applications. They are, in a very simplistic view, a native "browser" that runs a web application, with lots of "client side" JavaScript and access to a local database. What for sure makes life much easier if you need to work "offline".

But the application is still a "web application". A mobile is something that is meant to be used withing the range of a network, no matter if it is a Wireless or a 3G/4G network. 

Also, in general, a mobile, even if it is an enterprise mobile, is "personal". Only a single person will use it.

And we are building applications to mobile.
The work offline should be the exception. The multi-user scenario should not be even an option.

Even when they aren't the exception, you can still enforce the rule that the login must be done with the mobile online, and use the persistent login, so closing the app will not logout the user. 

But in this scenario, the user can still logout by himself (unless you prevent this in case there is no network).

If, for some reason, there is the need to switch users, in the same mobile device, while offline, I see two options here.

A) You create logic to execute the tasks locally, storing the information of who is doing, and validating the changes upon synchronization, bounding it to the right user. This should be used only when NO local sensitive information must be visible to the user, as you don't know if the user have the right to see it, as you will be using "anonymous" everywhere... Or you limit what the user can do when offline.

B) Setup a LOGIN scenario where the users that CAN login are the ones previously loaded into the device during when the device was connected. This should be done by a user with rights to do it (to define other users to use that device). I'm not sure if it is possible to bound a user to a role (client side), but I think not. In this case, your application will have to rely on a different approach to define which screens/actions/etc the user will be able to use, and this means more code is required as you will have to manage this validations. Even if you store all the logins here, the problem will be the same. You will have to check the permissions. 

In either case, as you are offline, you will not be able to synchronize upon login, and there will be need of lots of extra logic to guarantee everything is done in a safely way.

It is much easier try to convince the client that offline login is out of question and that multi-user offline scenario (in the same device) is a terrible idea. 

Cheers,
Eduardo Jauch

EDIT

Well, in the end it wasn't that small...

Eduardo Jauch wrote:

Hello all,

Just small comment on this subject.

OutSystems mobile applications are hybrid applications. They are, in a very simplistic view, a native "browser" that runs a web application, with lots of "client side" JavaScript and access to a local database. What for sure makes life much easier if you need to work "offline".

But the application is still a "web application". A mobile is something that is meant to be used withing the range of a network, no matter if it is a Wireless or a 3G/4G network. 

Also, in general, a mobile, even if it is an enterprise mobile, is "personal". Only a single person will use it.

And we are building applications to mobile.
The work offline should be the exception. The multi-user scenario should not be even an option.

Even when they aren't the exception, you can still enforce the rule that the login must be done with the mobile online, and use the persistent login, so closing the app will not logout the user. 

But in this scenario, the user can still logout by himself (unless you prevent this in case there is no network).

If, for some reason, there is the need to switch users, in the same mobile device, while offline, I see two options here.

A) You create logic to execute the tasks locally, storing the information of who is doing, and validating the changes upon synchronization, bounding it to the right user. This should be used only when NO local sensitive information must be visible to the user, as you don't know if the user have the right to see it, as you will be using "anonymous" everywhere... Or you limit what the user can do when offline.

B) Setup a LOGIN scenario where the users that CAN login are the ones previously loaded into the device during when the device was connected. This should be done by a user with rights to do it (to define other users to use that device). I'm not sure if it is possible to bound a user to a role (client side), but I think not. In this case, your application will have to rely on a different approach to define which screens/actions/etc the user will be able to use, and this means more code is required as you will have to manage this validations. Even if you store all the logins here, the problem will be the same. You will have to check the permissions. 

In either case, as you are offline, you will not be able to synchronize upon login, and there will be need of lots of extra logic to guarantee everything is done in a safely way.

It is much easier try to convince the client that offline login is out of question and that multi-user offline scenario (in the same device) is a terrible idea. 

Cheers,
Eduardo Jauch

EDIT

Well, in the end it wasn't that small...


What I did was B. The user only needs to be online the first time, then he could login any time while offline. When the device gets online, the syncronization is done.