Hi Prabath, 1. Can't we use the implicit grant type instead of *Authorization code . *
- *Authorization Code* for apps running on a web server<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps> - *Implicit* for browser-based<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps> or mobile apps<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#mobile-apps> Any reason why it can't be used. Is that because we use a proxy app and client app ? 2. Also can't we eliminate the use of web view. Rather use direct calls ? 3. Also can we have a custom grant type for mobile application , so that same level of security is achieved ? On Mon, Mar 10, 2014 at 10:39 PM, Chan <duli...@wso2.com> wrote: > IMO we don't revoke mobile app's Consumer key and Consumer secret but > revokes the Access token of a user. Next step for this integration is to > map access tokens that have been issued for devices. With this integration > EMM can revoke access of a mobile device from enterprise resources (APIs) > completely by coordinating with IS. > > Cheers~ > > > On Mon, Mar 10, 2014 at 6:10 PM, Suresh Attanayaka <sur...@wso2.com>wrote: > >> Hi Manjula, >> >> Let me answer inline, >> >> >> On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake <manju...@wso2.com>wrote: >> >>> Hi all, >>> >>> How do we store client secret and access tokens in mobile application? >>> Have we encrypted the client secret? >>> >> We can let the mobile app developer to implement his own mechanism for >> this, or if we are supporting this at the SDK, we can use a password to >> encrypt the client secrete. >> >> In case of mobile device is lost, how do we remove the mobile application >>> subscription from OAuth server without affecting to other mobile devices >>> which uses same application? Do we generate the applicationId together with >>> a unique mobile Id? >>> >> >> User can always revoke the tokens issued for the application. We can let >> each application to have its own client-key, client-secrete as well using >> dynamic client registration. >> >> >>> Is the mobile IDP app code signed by a trusted cert? How does the trust >>> relationship works with mobile IDP and WSO2IS? >>> >> >> WSO2IS does not have to trust the proxy IDP in the mobile. IS will always >> validate client-key, client-secrete and will check user authentication at >> logins. >> >> >>> >>> thank you. >>> >>> >>> On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana <ga...@wso2.com>wrote: >>> >>>> Hi Nira, >>>> >>>> Reason to do that way is normally client secret does not share with any >>>> other party >>>> >>>> >>>> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >>>> niran...@wso2.com> wrote: >>>> >>>>> Hi Gayan, >>>>> >>>>> Here the IDP proxy app is only used to get the authorization code from >>>>> the WSO2 IS and pass it to the SDK. After which the SDK is communicates >>>>> directly with the WSO2 IS to get the access token and manage the access >>>>> token and refresh token. >>>>> Just a small clarification why we can't use the IDP proxy app to do >>>>> this, .i.e, let the IDP proxy app manage the access token and refresh >>>>> token >>>>> for each app. Therefore cutting off the connection between the SDK and the >>>>> WSO2 IS. Here if the access token expires then the SDK will call the IDP >>>>> proxy app to get the token refreshed. >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana <ga...@wso2.com>wrote: >>>>> >>>>>> Image attached >>>>>> >>>>>> >>>>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana <ga...@wso2.com>wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> Problem: Implement SSO for enterprise mobile apps >>>>>>> >>>>>>> The idea is to provide SDK for mobile apps developers within the >>>>>>> organization, then they can integrate SDK inside the application and >>>>>>> implement SSO across required applications. >>>>>>> >>>>>>> Provide (SDK + Mobile IDP proxy app) >>>>>>> >>>>>>> >>>>>>> To achieve above purpose we plan to utilize oauth 2.0 with >>>>>>> *Authorization >>>>>>> code* grant type. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Briefly Explaining message flow : >>>>>>> >>>>>>> Initially new application has to be registered in WSO2 IS under >>>>>>> Oauth management and obtain client_key, client_secret, Access Token Url >>>>>>> and >>>>>>> Authorize Url >>>>>>> >>>>>>> 1. SDK initiate the process by sending client_key, redirect_url and >>>>>>> scope to mobile IDP proxy app >>>>>>> >>>>>>> 2. IDP proxy app obtain Authorization code >>>>>>> >>>>>>> 3. SDK (in side mobile app) receive Authorization code >>>>>>> >>>>>>> 4. SDK send second request directly to WSO2 IS with Authorization >>>>>>> code, client secret and redirect_url >>>>>>> >>>>>>> 5. SDK obtain access token >>>>>>> >>>>>>> 6. Mobile app pass access token to resource server >>>>>>> >>>>>>> 7. Resource server contact IPD and validate access token >>>>>>> >>>>>>> This is much similar to Facebook approach where facebook >>>>>>> application act as mobile IDP proxy app and they provide SDK to develop >>>>>>> apps. All your suggestions are welcome. >>>>>>> -- >>>>>>> Gayan Gunawardana >>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>> Email: ga...@wso2.com >>>>>>> Mobile: +94 (71) 8020933 >>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Gayan Gunawardana >>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>> Email: ga...@wso2.com >>>>>> Mobile: +94 (71) 8020933 >>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Niranjan Karunanandham* >>>>> Senior Software Engineer - WSO2 Inc. >>>>> WSO2 Inc.: http://www.wso2.com >>>>> M: +94 777 749 661 <http:///> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: ga...@wso2.com >>>> Mobile: +94 (71) 8020933 >>>> Blog: http://gayanj2ee.blogspot.com/ >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Manjula Rathnayaka >>> Software Engineer >>> WSO2, Inc. >>> Mobile:+94 77 743 1987 >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Suresh Attanayake >> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >> Blog : http://sureshatt.blogspot.com/ >> Web : http://www.ssoarcade.com/ >> Facebook : https://www.facebook.com/IdentityWorld >> Twitter : https://twitter.com/sureshatt >> LinkedIn : http://lk.linkedin.com/in/sureshatt >> Mobile : +94755012060 >> Mobile : +016166171172 >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Chan (Dulitha Wijewantha) > Software Engineer - Mobile Development > WSO2Mobile > Lean.Enterprise.Mobileware > * ~Email duli...@wso2.com <duli...@wso2mobile.com>* > * ~Mobile +94712112165 <%2B94712112165>* > * ~Website dulitha.me <http://dulitha.me>* > * ~Twitter @dulitharw <https://twitter.com/dulitharw>* > *~SO @chan <http://stackoverflow.com/users/813471/chan>* > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Shanmugarajah (Shan)* Director Architecture, Enterprise Mobility WSO2, Inc.; http://wso2.com Email: s...@wso2.com Mobile : +94777748260 Blog: http://shanfour.blogspot.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
