Automatic login

Hi,
User will get a QR code for calling JMIX app URL.
Based on the information in the URL the caller should automatically logged in,
using a specific existing user.

And, the URL also contains information, which view should be opened after login
with which parameters.

How to implement that?
Creating a controller, fetching the URL and params and then start the login process?
Or enhancing the login page?

I am looking for the best starting point to implement that.
Any help would be great.

KR
Roland

I think the first step is to drill deeper into this from a functional perspective before trying to come up with a technical solution. Then assess whether or not it is secure, and then come up with a solution. What exactly are you trying to accomplish?

Is the QR code going to be long-living (eg printed on paper and hanging on the walls) or short-living (generated and only useful for a short period) this already has huge implications on security and the first one does not sound very secure.

Who is generating the QR code? Is it the same as the one verifying credentials or are those 2 separate entities?

What is your main goal? Doing authentication or just opening a window? Would anonymous access with opening a pre-defined window work?

Hi Tom,

very valid questions, thx.
I need to explain a little bit, what the app is used for (a little bit to read ):
A company is driving up to 400 different tours on a daily basis in a city.
Each tour has multiple objects with different todos.
The drivers for each tour are also changing on a daily basis.
For each tour there is at least 1 fixed vehicle.

The app is running on a public root server.
No other app is running on that machine.
The database is on the same server and will be refreshed on a daily basis.
There are 3 ways to connect to the app:

• rest api using bearer token wich expires after 30 min / used for the refresh process
• login view with standard user/pwd
• QR with direct URL to a view, containing encrypted timestamp and tour information

When loggin in using QR code,
the user/role which will be used,
has only read access to 2 entities and write access to single attributes for 1 entity.
And only access to 1 list.view and 1 detail.view.

There are 2 QR codes.
The QR code1 is related to exactly 1 tour and the actual day,
created/printed on a daily basis.
Code 1 print is in a tourbook which is given to the driver for that tour for that day.
The QR code2 is related to 1 vehicle and is a sticker inside the vehicle.

The driver will scan code 1 and will get access to the list view with an empty grid.
Then codes 2 needs to scanned and the first object for the tour will be activated and visible.
The driver will then open the detail for that activated object.
But that is only possible, when the vehicle is in a max distance radius to the object.
The distance is online live calculated based on the GPS tracker inside vehicle.

Even when both QR codes will be posted in the internet,
you would need the vehicle to be able to do anything in the app.
And when you manage to hack that,
the worst thing which can happen, is that the data for one day might be lost.
That risk is known and all are fine with that.

++++++

I am now looking how to login using the QR information and directly open the view.
I also thought about using an anonymous view.
Might be possible, because I have the encrypted information from the QR code and with that
I can set all needed constraints on runtime.
But there is still the question how to open the view via URL, passing all encrypted parameters.

That’s the whole story why I opened this topic.

KR
Roland

Note Im not a Jmix employee and have not used any of the following options. In addition, I am still on jmix 1.5 and on the classic UI at least until all addons are ported to 2.x so make sure this works on your version and chosen UI platform. I have zero experience with flow UI.

But I think you can draw inspiration here:

1. The concept of routes allows opening a screen based on the url
2. the multitenancy plugin documentation uses query parameters to deduce the tenant. You could use the same mechanism to include the password and prefill the username password with values from the url.
3. another option is implementing a custom authentication provider. This post explains it in the concept of MFA

Thx Tom…
I will some more tests with the anonymous view…
One issue I have is, that the descriptions in doc v1.5 does not all work in v2.x…
I will come back here and tell you my findings and way through…

@r.walde @tom.monnier

Hi Roland, Hi Tom

Please look at the following code in the UserActivation.java screen in this attached example:
jmix-quickstart-security-advanced-complete.zip (172.1 KB)

private void loginAsTrusted() {
    log.info("Login without password");
    SystemAuthenticationToken token = new SystemAuthenticationToken(user.getUsername());
    Authentication authentication = authenticationManager.authenticate(token);

    VaadinServletRequest request = VaadinServletRequest.getCurrent();
    VaadinServletResponse response = VaadinServletResponse.getCurrent();

    sessionAuthenticationStrategy.onAuthentication(authentication, request, response);

    SecurityContextHelper.setAuthentication(authentication);

    screenBuilders.screen(this)
            .withScreenClass(MainScreen.class)
            .withOpenMode(OpenMode.ROOT)
            .build()
            .show();
}

I think that this, combined with some of the contents of the other files, may be what you are looking for.

I hope that this helps.

Best regards
Chris

Hi Chris,

thx for this information and link!
We decided to go another way.
We created an anonymous allowed blank view.
When calling this view, the passed encrypted parameters are used to
login and then relink to the restricted view, which the users need.
It works fine for us in the above described scenario.

KR
Roland

Hi,

I am able to login with this given method. But after that while click on logout we are not able to logout.

I am getting this above error on click of logout.