0

I have a Xamarin(mobile) application that can go offline for long period of times. Also this device can be used by multiple users.

Which is the best way to ensure users that are using the app are authenticated when they go with an offline mode? When the app is online I can use Oauth or any OpenId to authenticate vs an identity provider.

Zinov
  • 3,817
  • 5
  • 36
  • 70
  • Are you using a JWT? Then you can validate the public key client side. (maybe https://stackoverflow.com/questions/34403823/verifying-jwt-signed-with-the-rs256-algorithm-using-public-key-in-c-sharp) – Jeremy Lakeman Mar 23 '22 at 03:23
  • Please be more explicit. What is the solution here you propose to force offline authentication for 100 users while you are offline for example? – Zinov Mar 23 '22 at 03:31
  • I mean that it may be possible to validate the token returned from Oauth / OpenId client side. But you'll have to know exactly what is returned and how to validate it. If it's a Json Web Token (JWT) [which it probably is], then that's a signed blob of json. Which means that you should be able to validate the signature of a cached token, to prove it is valid. Even if you are currently offline. – Jeremy Lakeman Mar 23 '22 at 03:47
  • That works for a single user – Zinov Mar 23 '22 at 03:49
  • yes? surely your use case for a mobile app would be `one device == one user`? If not, you should include that detail in the question. – Jeremy Lakeman Mar 23 '22 at 03:51
  • One device can be use by multiple users. I put users there but thanks for the suggestion I will update the question – Zinov Mar 23 '22 at 04:14

0 Answers0