Tutorial: Authentication and Security

Authentication and Security


This app can manage OpenRosa form authentication for protected forms, i.e. it is possible to log in to forms with credentials set in your OpenRosa Server (e.g. Aggregate/KoBo), just like in ODK Collect.

Alternatively, you could make use various external authentication methods, i.e. using the authentication management of your form and data server.

For more information see this documentation page and the configuration documentation.


There are two major security considerations to be aware of. Both of these result in the need to run this application on https with a valid SSL certificate.

API security is mainly arranged by the secret API key set up in config/config.json. This API key is sent in cleartext to Enketo by the form/data server (such as ODK Aggregate) and can easily be intercepted and read if the transport is not secure. Somebody could start using your Enketo Express installation for their own form/data server, or obtain the URLs of your forms. Using secure (https) transport mitigates against this hazard. Security increases as well by populating the server url in config/config.json. Also, don't forget to change your API key when you start running Enketo Express in production.

Form authentication is only secure when Enketo is running on https. To avoid leaking form server credentials, authentication is automatically disabled when the app is accessed in a 'production' environment on 'http'. If you have to to run the app on http in a production environment, you can bypass this security by setting "allow insecure transport": true in config/config.json. The only use case this would be acceptable in is when running the app on a local protected network (e.g. in the KoBo VM).