Apps-android-commons: Logging in to app with two-factor authentication

Created on 6 Dec 2016 · 21Comments · Source: commons-app/apps-android-commons

Comment on our review page:

I can't login after enabling 2FA I've activated the Two Factor Authentication and the app shows "Incorrect login"

Has anyone tried this before? Also, is there a need to support 2FA in our app?

IEG enhancement high priority

Source

misaochan

Most helpful comment

This can be unblocked now that we have confirmed that OAuth is not possible and not needed.

misaochan on 29 Nov 2017

👍2

All 21 comments

possible enhancement, yes
On Dec 6, 2016 11:56 AM, "Josephine Lim" notifications@github.com wrote:

Comment on our review page:

I can't login after enabling 2FA I've activated the Two Factor
Authentication and the app shows "Incorrect login"

Has anyone tried this before? Also, is there a need to support 2FA in our
app?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/commons-app/apps-android-commons/issues/328, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAGFBmVahWIPJDdBAyKoeicGLoB5nC1Vks5rFNzygaJpZM4LE_53
.

nicolas-raoul on 8 Dec 2016

Wikipedia App seems to have the same issue and has a pending change.

It might be limited to power users, but there is a need. All sysops were asked to enable 2FA in late November if I recall it correctly.

whym on 8 Jan 2017

👍1

Confirm that logging in with two-factor authentication on is not possible.
Once I was logged in it sort of worked, but maybe this was a cause for some of the problems I have been having with the app.

VojtechDostal on 19 Feb 2017

What problems were you experiencing with the app @VojtechDostal ?

misaochan on 19 Feb 2017

The app failed to start or crashed while searching for Nearby things.
I reinstalled and now it runs smoothly

VojtechDostal on 19 Feb 2017

👍1

Not quite done yet

addshore on 15 May 2017

Hi @addshore , any chance you might have the time in the near future to complete this? If not, should we add it to the IEG renewal proposal?

misaochan on 5 Jun 2017

I might have time to look at it over the coming weeks but adding it to the IEG grant sounds like a good idea!

addshore on 12 Jun 2017

Just for the note the 2FA has been successfully implemented in the Wikipedia android app. I guess their implementation could help you finish this quickly i.e., you could use their implementation as reference.

sivaraam on 5 Sep 2017

👍1

@sivaraam Does wikipedia app use OAuth for authentication? I have added the 2FA permission in OAuth Consumer registration for Commons app. Ref #819

maskaravivek on 1 Nov 2017

The Wikipedia app does not use OAuth. It has an in-app login flow that handles 2FA.

ragesoss on 1 Nov 2017

👍2

This can be unblocked now that we have confirmed that OAuth is not possible and not needed.

misaochan on 29 Nov 2017

👍2

Our app already has most of the code in place needed for enabling 2FA. I am just not able to test it out as i am not a power user and as the article mentions only power users can enable it for their accounts.

maskaravivek on 17 Dec 2017

@maskaravivek , you can ask the stewards to add you to the "oath testing group". I believe such requests are done at https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_other_global_permissions

strainu on 17 Dec 2017

👍1

Thanks @strainu for the link. Got the permission by creating a phab ticket. https://phabricator.wikimedia.org/T183079

maskaravivek on 17 Dec 2017

👍1

What what i understand,

The HttpClient implements some sort of cookie store which is in turn by AccountManager when a request to retrieve auth cookie is made [blockingGetAuthToken]. I observed that after enabling 2FA, this call is not return any cookie.

Read a few posts regarding handling of cookies for 2FA enabled authentication and finally decided to create and store a cookie in such cases. Ref

Wikimedia APIs require these cookies for all subsequent requests.

@psh @misaochan Your insights here would be useful. :)

@dbrant Does this sound good? I tried to follow the approach Wikimedia app takes around authentication, but then Wikimedia app never makes a call to getAuthToken or blockingGetAuthToken.

maskaravivek on 7 Jan 2018

@maskaravivek I just requested global OATH permissions for the production servers - https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_other_global_permissions . Hopefully we will be able to test your PR soon. :)

Re: creating a cookie, your approach looks reasonable to me, however it would be best to wait for @dbrant 's input due to potential privacy concerns.

misaochan on 8 Jan 2018

It's already done, @misaochan :) took them only 4 minutes.

VojtechDostal on 8 Jan 2018

@VojtechDostal Wow, cool! :) That was fast, haha. Will set my 2FA up and test ASAP.

misaochan on 8 Jan 2018

@maskaravivek The Wikipedia app basically stores all cookies in SharedPreferences, since some of our cookies need to be persisted regardless of having an account. If you want to persist the authentication cookie in AccountManager, that's fine too.

Implementing 2FA simply means that instead of returning a successful reply, the API will return a special status message that should cause your app to ask for the 2FA code, and then pass the code back to the API in your next request.