Security for Web Apps
Visual Builder apps can use Oracle Identity Cloud Service (IDCS) for token-based authentication. Token-based authentication protects your business data from unauthorized access, while allowing your app's users to access the app now and again without having to log in each time.
When a user logs in to your deployed app, the app authenticates with IDCS, which sends a token to the app. Once authenticated, the user can continue to use the app without having to log back in until the token expires, typically after 8 hours.
Whenever the app makes a call to the REST service, it retrieves the token and attaches it to the request. As long as the token is still valid, the REST service sends the appropriate response. If the token has expired, the service rejects the request (returns a '401') and the user is redirected to the log-in screen.
For web and PWAs (including PWA-enabled mobile apps), the token is stored in the browser session and is discarded when the user closes the browser window, exits the PWA, or reboots the device. When the user relaunches the app following one of these events, they are prompted to log back in.
The following table describes the authentication behavior after some common user events such as restarting, rebooting, and going online:
| What happens if ... | Web | PWA | 
|---|---|---|
| ...I quit my app or it crashes and I relaunch it? ...I reboot my device and relaunch the app? | I am prompted to log back in. For web apps, the token is stored in the browser session and is discarded when the browser window or the app is closed. | If the device is online, I am prompted to log back in. For PWAs, the token is stored in the browser session and is discarded when the browser window or the app is closed. If the device is offline, the PWA uses a cached user object to allow me to continue working with cached data. I am only prompted to log back in when I reestablish an Internet connection. | 
| ...I switch from a data network to a WiFi network or vice versa? | I am not prompted to log in. Changing networks does not affect token behavior or duration. | I am not prompted to log in. Changing networks does not affect token behavior or duration. | 
| ... I lose my network connection or switch to airplane mode? | I receive a browser error, such as a "No internet" error (Google Chrome). If my web app uses the cache control HTTP header to manage cached data, I can continue to work in offline mode. See Add Offline Support Using the Oracle Offline Persistence Kit. | I can continue to work in offline mode with cached data even after the token expires since I am not connecting to the server. The app uses the Oracle Offline Persistence Toolkit (OPT) to manage cached data. See Add Offline Support Using the Oracle Offline Persistence Kit. | 
| ...My device comes back online? | If the token is still valid, I can continue working as before without having to log in. If the token has expired, I am prompted to log in again. | If the token is still valid, I can continue working as before without having to log in. If the token has expired, I am prompted to log in again. |