Authentication
In order to use a solution, a user needs to be authenticated. Authentication is carried out at two levels: (i) whether a user needs to log in to the server or not; if yes, verify the login credentials; (ii) what kind of permissions are granted to a user when accessing a particular workflow; different users can be assigned different permissions.
Three types of user authentication are available for embedded webpage solutions:
•Anonymous user: The user does not need to log in
•User login: When the solution loads, the MobileTogether Server login page is displayed in the solution, and the user can log in using credentials that are currently registered with MobileTogether Server
•JWT authentication: The authentication is defined outside the MobileTogether system, and is carried out silently without the user having to log in to MobileTogether Server
Pros and cons of the different authentication methods
The following points should be considered when deciding upon the authentication method for an embedded webpage solution:
•Letting users be anonymous is safe if the solution is used for simple data processing, and does not allow the modification of important databases or the display of sensitive information from databases.
•User login requires the user's login details to be registered with MobileTogether Server and for the user to know the login details.
•User login adds a possibly unwanted layer of interaction between user and solution.
•User login enables users to be authenticated individually.
•JWT authentication is carried out silently, by means of communications that are triggered by code in the webpage. The implementer can decide how to handle the authentication process; this provides flexibility in the design of communication systems.
One session, one type of authentication
If a session between webpage and server uses one type of authentication, it will continue to use that authentication method till the session is ended or re-started. A session ends when the user logs out or when the server times out (the session timeout is specified in the server settings).