Add Biometric features

[Badisi]

Investigate if TouchID, FaceID, WebAuthn, etc. could add any value and how they could be implemented.

[ms-emp]

@Badisi

I had an idea as follows:

1. The first time the user visits the app, we redirect to login
2. At the identity provider we set the refresh token lifetime to 24 hours
3. When the app is resumed from the background we right away prompt the user for biometric
4. If successful, we check the current session, if expired, we try to do a silent refresh using the refresh token, once we have an active session we let the user in, if silent renew fails (the refresh token expired, meaning the user didn't use the app for more than 24 hours) we redirect to login

So as long as the user uses the app regularly (let's say once every 24 hours), the user doesn't have to re-enter his credentials.

[ms-emp]

@Badisi

I was considering implementing biometric login. My plan was to use a longed-lived refresh token, and when the user enables biometric login in the app, I will store the current user using UserManager.getUser under biometric storage. Then, when the user opens the app again and verifies with biometric, I would retrieve the user from the biometric storage and set that user using UserManager.storeUser and trigger a silent renew which will use the previously stored refresh token. However, these APIs are hidden when using ngx-auth.

Do you have any input on this flow, and can you think of a way of making these API's public?

[Badisi]

Using long-lived refresh_token can be risky in case they are stolen. To mitigate this you can use short-lived tokens and refresh token rotation which renew every token (ie. refresh, access and id tokens) every time.

And in any case, the library automatically store and renew the tokens for you, so you don't have to store and retrieve the user yourself.

[Badisi]

@ms-emp, thanks for the interest!

My reflection on the topic has evolved since I created this discussion, and I don't think adding biometrics to this library brings any additional value, nor that it has anything related to authentication (unless there are opinions to the contrary).

From my point of view, using FaceID/TouchID via the phone’s native APIs does not enhance authentication. To me, it’s simply an additional layer of security (like an extra door), and it doesn't fundamentally change the authentication already in place through the library.

Currently, tokens are already stored in a secure space on the phone, and the library already automatically renews these tokens before they expire. The maximum connection time for a user before they need to reconnect therefore depends on the combination of token lifetimes and the session duration itself. And it doesn't matter if the app is closed or reopened, user can still remain connected as long as a the session or token are active.

FaceID/TouchID only act as an additional security barrier and/or a facilitator to help the user reconnect (e.g., by storing the username/password and automatically re-injecting them in case of success).

Adding these features to the library, knowing that they wouldn’t be tied to any authentication flow, would merely expose the APIs of the associated plugins and would offer nothing more than if the developer directly imported those plugins themselves.

What do you think?

[ms-emp]

@Badisi

I opened a PR to show how little it's needed to accomplish the ability of biometric login.

[Badisi]

Thanks for the follow-up.

I think I must have gotten lost in my explanations last time.
Please allow me to clarify it a bit.

---

This library does save and reuse your tokens already (i.e. what's called 'User' in oidc-client-ts):

On mobile

1. User open the mobile app
2. User is asked to authenticate
3. User successfully authenticate
4. Tokens are retrieved from the IDP and saved in provided storage
5. From now on, no matter if the app is left as is, or closed / put in background and reopened => if it detects that the access_token is going to expire or is already expired, it will try to use the stored refresh_token to renew all tokens.

So I would say that what you are trying to achieve is kind of useless, because this is already what is being done (i.e. tokens are stored and reused when needed). And besides that, I have some reservations with exposing the refresh_token.

---

IMO, if you want to use biometrics, you could use it regardless of the authentication:

1. User open the mobile app
2. User is asked to use FaceID
3. FaceID api returns OK or KO
4. If KO => app logs out current user and ask for re-authentication
5. If OK -> app is loaded as usual and either:
   5.1. user is still authenticated
   5.2. token has expired, so refresh_token is used

That's why I called it "an extra door", because there is no relation between the biometrics and the library.
The library does already all the job that's needed, and the biometrics is just adding an extra step prior to it.
This is the same thing that you would do to protect part of your application (i.e. when navigating/accessing sensible data, you would pop a FaceID that would act as a guard)

You could also provide your own Storage implementation and adds biometrics validation any time data needs to be accessed.

[ms-emp]

@Badisi

The library will refresh the token only if the user has not signed out of the app. However, I would like users to be able to sign in to the app using Face ID, even after they have explicitly signed out and the token has been removed from storage.

[Badisi]

Then, can you please explain how it would work ? (like a step by step scenario)
Because to me, if the user is logged out, session is terminated and tokens are revoked.
So there is no way the user could re-login with only a FaceID...

[ms-emp]

The refresh_token is not automatically revoked when the user logs out, and there is no requirement to revoke it. See here

Here’s a step-by-step breakdown of how it would work:

1. Initial Login:

   • The user logs in using their username and password via the system browser.
   • During this process, request the offline_access scope to obtain a longed-lived refresh token.

2. Biometric Login Setup:

   • When the user opts to enable biometric login, the obtained refresh token is securely stored in the device’s secure storage.

3. Re-login with Biometrics:

   • When the user opens the app after signing out, prompt them for biometric authentication.
   • Upon successful biometric authentication, retrieve the stored refresh token from secure storage.
   • Use the refresh token to request a new access token from the OIDC provider.

[ms-emp]

@Badisi

Would you consider accepting this PR? It does not change any logic, it simply makes some APIs public, allowing me to successfully implement biometric login.