Deeplinking to a processflow in a Thinkwise application is already possible. But when a user gets (for example) an email with a deeplink to a processflow that confirms the timely delivery of a work order, he or she alway has to enter his or her cridentials and press Login.
Wouldn't it be great to somehow have a javascrpt or other solution in on the login button (or login page of the GUI) that recognizes the fact that a username and password is already entered and automatically does the login?
The username and password can be stored by the browser, so for a user it would seem as if the deepling really is what it pretents to be.
There are many ways for this to be done.
One would be, as you suggested, to have the login process store a local cookie in the browser, which is queried for in every request to check if a user is authenticated and/or authorized for the current request. However, cookies are becoming an increasingly outdated technology and may not be the safest solution, depending on how the user's browser handles cookies.
Another solution could be to incorporate a special query parameter in the link behind the login button, containing a unique SHA256 hash string. This hash is simultaneously stored somewhere in the application, along with minimal information specifying the user authorized for the request.
That way a user can click the deeplink in the email, without any form of authentication on the user's end. And guesstimating a SHA256 hash is significantly harder than intercepting a basic auth header and decoding the Base64 string, especially when a predetermined salt is used for the hashing algorithm.
All in all, definitely a great solution to make things easier on the end-user.
Hi guys,
I like the idea.
I think we should let it up to the user to tell the browser to remember their credentials. That's the safest way to store the credentials in the client. When the user allowed it and a deeplink is incoming, we can try to continue seamless to the main page without user interaction.
Notice the Web GUI doesn't allow you to work with multiple GUI's in the same browser. Others will be logged off.
I think our Universal GUI will support this seamless, when deeplinking is supported.
Regards, Erik
If the user's main instance is logged off when another is opened in the same browser, it seems very tedious to run these tasks from an e-mail with automatic authentication in general.
The user could be doing other work while waiting on the e-mail. If he then clicks the deeplink, all his work is lost as the instance will be automatically logged off. Unless I misunderstand the inner workings of the web GUI as you described, this renders automatic authentication in deeplinks as more of a hazard than an addition to a smooth workflow.
This depends on how the client remembers passwords. A lot of people are using third-party tools such as Dashlane or 1Password instead of their browser's built-in credentials vault. Most of those tools do not allow links to directly read credentials (or without prompting the user at least, again rendering this solution slightly redundant).
You're true. As a workaround, you could think of a separate Web GUI instance to handle deeplink request from the version the user works in, in general.
As I mentioned, this problem will be resolved in time using the Universal GUI.
Lets keep up the technical implementation of remembering the credentials to our developers
Thanks for thinking about it.