This article will provide an overview of the login security options available for embedded apps in the user logins settings of your Knack app.
This article covers the following topics:
What options are available when using logins on an embedded app?
When using logins on an embedded app, there are two settings options available for how user logins are managed: Cookies and Tokens.
Each option will give your users a different login experience:
/Embedded%20Login%20Security%20Settings/embeddedloginsecuritysettings1.png)
-
Cookies
-
Users logging into your embedded app will be redirected to a consent screen to log in.
-
White labeling, the option to conceal Knack’s name in the URL, is not available with this option.
-
-
Tokens
-
Users logging into your embedded app will log in using the Knack login view.
-
White labeling is available with this option, so Knack.com will not appear in the URL.
-
Using tokens is less secure than using Cookies.
-
| Option | Cookies | Tokens |
| Consent Screen | ✅ | 🚫 |
| White Label | 🚫 | ✅ |
| Secure | ✅ | some security risks |
Embedded Login Options
There are two different types of login options, each with trade-offs to consider that will determine your user’s login experience.
Cookies
Tip: It’s becoming increasingly more common for browsers (including Chrome, Safari, and Firefox) to block third-party cookies by default. For this reason, we recommend you guide your embedded app users to update their browser settings to allow third-party cookies for your app if you choose to use this option.
With the cookies login setting, the embedded app opens a new browser window to complete the authentication for the user logging in.
/Embedded%20Login%20Security%20Settings/embeddedlogin2.png)
For this option, users logging into your embedded app will be redirected to a consent screen to log in.
Note: White labeling, the option to conceal Knack’s name in the URL, is not available with this option.
| Consent Screen | White Label | Secure |
| ✅ | 🚫 | ✅ |
When you log in to your Knack app, a text file with unique data called a cookie is stored within your browser. The data contained within that cookie is a unique identifier of you and your computer that tells the app what data to share specific to you.
To put it another way, think of your browser as a pantry, where each website you visit has its own cookie jar. The cookie jar can have two classifications of cookies:
-
First-party cookies are stored by the domain you’re visiting directly.
-
Third-party cookies are stored by domains other than the one you’re currently visiting.
When you integrate your Knack app into your website, your website is considered the primary source, while the Knack app is considered a secondary source. In the past, it was common for secondary source cookies to be stored in your website's cookie jar.
However, due to concerns about privacy and online tracking, web browsers now block this practice by default. This is done to enhance privacy and protect users' personal information while browsing the web.
To authenticate the user, a consent screen is now required to allow our cookie to live in your website’s cookie jar. The consent screen must show the browser’s address bar and the domain must be the authenticating domain (Knack.com) so it cannot be white-labeled.
This is the same experience you may already be used to if you log in to other websites using a Google or Facebook account.
To use this option, select the Cookies option for the Embedded Login Security in the User Logins section of your app.
Tokens
Caution: This option is less secure than using cookies.
With the tokens login setting, the embedded app uses a normal Knack login form. For this option, users logging into your embedded app will not be redirected to a consent screen to log in and can log in directly through the embedded app.
/Embedded%20Login%20Security%20Settings/embeddedlogin3.png)
| Consent Screen | White Label | Secure |
| 🚫 | ✅ | less secure than cookies |
How does the tokens option work?
When you log in to a website, this option stores tokens in the browser. These tokens can then be used to authenticate the user logging into your app.
To use this option, select the Tokens option for the Embedded Login Security in the User Settings of your app.
Understanding Security Risks
We recommend only using the tokens option if you have full control over every computer that could potentially access your app and can ensure they’re only using trusted browser extensions. For example, you could use the IP whitelisting option to ensure only users located at a specific IP address are accessing your app.
This option goes against security best practices because using tokens can be prone to Cross-Site Request Forgery (CSRF). This creates a potential vulnerability where a third party could gain unauthorized access to the token value and log in as the user.
For instance, a malicious script could run on your webpage, search through your browser's storage, duplicate the token value, and pretend to be the user by using the duplicated token value.