From inside mobile app for iOS and Android

The mobile app for iOS and Android can be setup to validate the user’s credentials against an external service owned by the client. For this, a proxy is used to coordinate the communication between the app, the client's service and the regular authentication service.

The client has to provide an API endpoint where the proxy will try to validate the user's credentials.

This is the authentication flow:

  1. The user fills his/her email and password combination and clicks login/register.
  2. The app contacts the proxy service with this data.
  3. The proxy service contacts the client's API to determine if the user has access to the app.
    • A) If the user has access the client's API must return a response with:
      • A 200 response code.
      • A content-type header with application/json.
      • A JSON string with uuid for the user (The same that would be used for the token integration). For example: {"uuid":"0965151d-a537-4051-8e66-45f5cfdedb47"}
    • B) If the user doesn't have access the client's API must return a response with:
      • A 422 response code if the user could not be found.
      • A 403 response code if the user does not have access to the app.
  4. If the user has access, the proxy creates a new app session with the UUID and then the user continues to access the content inside the app.

All communication is done through HTTPS and the requests payloads are never logged. The user information only passes through the proxy to reach the client's API and it's then immediately discarded.