Hi there,
We are trying to integrate Internet Identity with the Telegram mini app. According to
Integrating with II, we use the authAgent.login()
function to invoke the II login or registration process. However, this function opens a new tab in the Telegram mini app, which leads to a new window outside of the tg mini app itself.
Is there a way to keep the redirection within the mini app so that users can log in with Internet Identity directly inside the mini app?
Could be possible, but not sure if that is best practice. Me personally, I don’t trust applications that do oauth signin without opening a browser and they wrap the flow inside the app… Who knows what kind of BS is going on under the hood.
Try check this out. Might be useful: https://internetcomputer.org/docs/current/developer-docs/security/security-best-practices/iam#integrating-internet-identity-on-mobile-devices
Internet Identity does not directly support sign in flows between different browsers (e.g. Telegram browser and Chrome browser).
Besides Telegram mini apps, this also affects the development of sign in with Internet Identity in mobile apps.
So instead the recommended approach is to implement a flow where you authenticate with Internet Identity in the same browser to a website on behalf of your app. Then this website can delegate towards the app with e.g. universal link.
More information can be found in this forum post and the linked documentation within that post: New security best practice on integrating II for mobile apps
I have no experience with Telegram mini apps, not sure if it’s possible to link to a browser outside the mini app and then link back to the mini app. Any insights and/or feedback in this regard would be highly appreciated.
2 Likes
I assume you’re referring to embedding a sign in within a webview of a mobile app, this is not a recommended approach neither will users actually be able to sign in with their passkey in the case of Internet Identity since iOS/Android scopes passkeys to prevent this from being possible.
1 Like
Sure, but my main concern is it could be keylogger/phishing attempt. Fake oauth flow capturing your sign-in details.
Thank you for everyone’s feedback. We resolved the issue by referring to all the information provided above.