Background:
We have developed a mobile app that requires users to authenticate in order to gain access. All pages/screens on the app are secured which means no anonymous access is available. The users have option to authenticate using phone built in FaceID or TouchID.
Issue:
Business requires the app to be available in offline mode with ability for the users to be able to authenticate (using FaceID or TouchID) and gain access to the app to mainly view information that are stored in the device local storage (i.e. there will be no server side interactions). The issue is how would all the pages/screens in the app that requires the user to be authenticated allow the user to access them when they are in offline mode and without having established an authenticated session with the server?
The business requires that the users of our app to have the ability to stay in offline mode for extended period (around 2 weeks) before they need to re-authenticate to sync their data from the server.
Is there a way that we can establish a secure offline authenticated session without having to authenticate the user on the server and still allow the user access to all the secured (non anonymous) pages? I am just after some feedback from the community on someone who has done this before or know how to get around this problems. Any specific design pattern we could use here?
Thank you all in advance.
Hi,
To my knowledge, you will ALWAYS need an internet connection to authenticate an OutSystems user.
Only after authentication, you can use your OutSystems mobile app in offline mode.
Once a user is logged in, the user stays logged in even if your app is offline, until the user logs out.
Regards,
Daniel
Hi @Daniel Kuhlmann
Yes, of course the user will have to be online and authenticate with the server when they first open the app because this is when the app sync with the server and brings the user's data and store in the local storage.
However, the user may then decide to click on the 'logout' button and close the app. Then the user may travel in an area where there is no internet coverage and decide to open the app to view their data. Since there is no internet connection, the user will not be able to authenticate against the server to establish a session and since all of our app screens requires a 'Registered' user to be authenticated, I am just wondering how to get around this issue.
As I mentioned, our App uses FaceID and TouchID to authenticate the user but this does not by itself establish an authenticated session if there is no internet connection.
I am not sure if our understanding of OutSystems 'Offline' capabilities is correct here or maybe our use case cannot be solved.
As I said, when a user logged out, he will need to login again to access an authenticated screen. To login you need an internet connection.
Any other solution you cannot guarantee that the user is still authorized to login.
Hi @mitham habib,
You can create a local storage entity and ask user to register PIN for the user upon first time login with internet.
Once it is added in local storage then you can ask user to input the PIN when the user is in offline.
Store the PIN as encrypted in local storage.
Note: But for login or logout you should have the internet connection.
Hope it helps
Hi @aravind mani
Yes, we actually do offer the user ability to use PIN to authenticate and we are following the same process as you described (storing PIN in local storage).
But since all of our App screens do not allow 'anonymous' access, this means that that user needs to be authenticated and if we just compare the PIN entered by the user with the one we store in local storage that does not get us around the issue of the App screens requiring an authenticated user (because how can we establish an authenticated session in an Offline mode by just comparing the PINs)
Maybe we misunderstood what 'Offline' means. Because our thinking was if the user is 'Offline' and they open the app, then they can somehow still get access to the screens that require authenticated user but obviously this is not going to be the case since they have not authenticated against the server.
I guess the question is, does Offline means that the user still have to be Online and authenticate against the server and then (without closing the app) start travelling in an area where there is no internet connection but once they close/logout then they have to be online again to authenticate? If this was the case, then this is not really an Offline type capability.
No, once u authenticated online and logged in, without logout if you are closing the app or going to offline mode, then the user session remaining same and it will work unless u logout your app online.