We are implementing Single Sign-On (SSO) for DHIS2 using OAuth2 / OpenID Connect (OIDC) (e.g., Keycloak, Okta, Azure AD), and we need clarity on how this works with offline login on the DHIS2 Android Capture app in low-connectivity environments.
Has anyone implemented a setup where Android Capture authenticates via SSO/OIDC when online, and users can then log in while offline later (after at least one successful online login)?
If youâve done this, could you share more insights on how you achieved this. Thank you
I triaged this to the @dhis2-android team and the what I understood so far is that the âlog outâ settings work the same regardless of the signing method. I will let you know when I have a confirmation.
Please do feel free to add your comments if you do try to test this feature extensively. Iâm sure it will be helpful for all.
In July when we discussed this with @vgarciabnz, he said: The offline login functionality does not work for OpenId login at the moment, not even in 3.2.0. The offline login functionality is based on the comparison of the hash of username-password. In openId there is no username-password so there is not an easy way to authenticate the user offline. We have talked about this sometimes and the approach we like the most is setting a PIN code to protect the account. This PIN code will be optionally defined at logout and will be used to allow the user in again. We already have PIN-based protection of the app, but it is just to protect the whole app and not a single account, so it does not allow switching accounts.
Sorry for the late reply, it was lost in my radar.
The quote shared by @spaton is still relevant, nothing has changed since then, thanks for sharing it here.
I just wanted to add a clarification on the authentication flow: when we talked about offline login, it means the capability of doing a login after an explicit logout in the DHIS2 Android app. I mean, the user does a login in the app, then a logout and it goes offline. In this situation, it is not possible to log in again while offline because the login process needs a connection to the Oauth provider. But, if the user doesnât log out the app, the user can still use the application as usual even offline. It doesnât matter if the user closes the app and opens it again; the application will continue working offline as long as the user doesnât log out.