Tech at the Edge of the World: Offline Applications
Can your code really run everywhere? Even offline? Thoughts from Heather Downing’s journey to a tech conference held in Antarctica.
Sorry for being a n00b, but where can i find more information on this?
Since external auth providers (like Okta, Google, etc) provide you with a token, you can store that locally when your device is offline until the it expires (which is easily configured within your Okta Developer account) and allow a user access to their previously authenticated and downloaded data while offline.
@applebar it’s not a n00b question don’t worry!
What type of application are you building? Many frameworks will handle this for you now!
This post is a few years old, but it covers a lot of general OAuth related bits: Identity, Claims, & Tokens – An OpenID Connect Primer, Part 1 of 3 | Okta Developer
And check out this one too: An Illustrated Guide to OAuth and OpenID Connect - YouTube
If you have a specific framework or stack in mind, let us know, and we can point you to something more targeted!
1 Like
@bdemers Specifically, I’m looking for a high-level solution for the following scenario: I’m trying to authorize access to an iOS application with users who go offline for a day or two at a time. Currently, when the access token expires, the user is asked to authenticate again but cannot due to being offline. I would like for user to maintain access to iOS application until they are able to re-authenticate once they return online.
Ahh, I see!
This one is going to be use case-specific. Sounds like you are building an application that requires user to have some initial interaction with a REST service (download data or something), update that data offline (potentially offline), and then sync that data at some point in the future.
Security isn’t a one size fits all, so please excuse a potentially lengthy explanation.
The needs for a calorie tracking application are very different from a banking application. The banking application probably doesn’t work offline (there are some exceptions to this, but let’s keep it simple to start with.) Next, you might need to think about any sort of data retention/auditing concerns. Is the user allowed to see the data after their session expires? (again, this isn’t a big deal for a calorie tracker, but if you are dealing with customer info, it might be, e.g. a QR code scanner for conference badges)
Going with the simple example, let’s say you are building a calorie tracking, it requires a few API endpoints:
- User preferences
- calories consumed
When your user initially opens your application, they are instructed to log in. Your application downloads their preferences (maybe a choice between kilocalories and kilojoules).
At some point in the future, the user opens the application and records calories. Your application detects if the user has a network connection and sends the number of calories to your API.
Your API may respond with a 401/403 indicating the token is invalid. In which case you would prompt the user to log in again, and then retry your previous request.
Using a refresh token might allow you to skip the user interaction part, and your application (typically using an OAuth library) would exchange the refresh token for a new access token, and you would use that new access token to retry your request. The benefit here is the retry is seamless and the user isn’t bothered.
I’m simplifying things a bit here, for example, if you knew an access token was already expired, you wouldn’t send it to the server, instead, you would use a refresh token to get a new access token. Some OAuth libraries handle all of this logic for you,
For an iOS example, you can take a look at:
Unless you are looking for something like Xamarin or Ionic, we should have examples for that too.