Hi All, According to review had with Shan and Prabath, I was working with increasing the usability of SDK.
Expectation 1. Invoking IDP Proxy application is not transparent to application developer. 2. Getting access token should be simple (reduce number of lines) 3. SDK should intelligently handle token expiration 1,2 Already completed for 3rd task need a discussion, when can we have it ? On Mon, Mar 31, 2014 at 3:13 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > Hi All, > > These are frequently asked questions. I will try to provide answers in > consecutive mails. If you have further questions or if you have good > answers for existing questions please reply here > > 1. Reason to use Authorization code grant type > > 2. Advantages of having webview in IDP proxy application over native > application directly calling mobile web browser > > i. Phishing attack > > ii. Problem of maintaining same session across multiple browsers > > iii. If user kills the browser, SSO does not work > > > > 3. How to securely store access token and client secret > > 4. What happen If refresh token is expired > > 5. Reason to use webview in IDP proxy application, why not native > capabilities > > 6. Does it supports Logout > > 7. Reason to not to have code signing in IDP Proxy application and SDK > 8. What happen if one client secret and client id are used by multiple > applications > > > On Sun, Mar 30, 2014 at 9:54 PM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> Seems like it does not work with IS 4.10 properly :(. I will try to >> figure out where the things going wrong. >> >> >> On Fri, Mar 28, 2014 at 11:32 AM, Gayan Gunawardana <ga...@wso2.com>wrote: >> >>> Sure I will check with IS 4.1.0 >>> >>> >>> On Fri, Mar 28, 2014 at 10:59 AM, Prabath Siriwardena >>> <prab...@wso2.com>wrote: >>> >>>> Great..!!! Can we also start with iOS app...? >>>> >>>> Also - can you please test this with IS 4.1.0..? >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>> On Thu, Mar 27, 2014 at 4:31 PM, Gayan Gunawardana <ga...@wso2.com>wrote: >>>> >>>>> Hi All, >>>>> >>>>> Still code with on going development, but any body who interesting can >>>>> try it >>>>> >>>>> Android SDK >>>>> [1] https://github.com/GayanM/android-idp-sdk >>>>> >>>>> IDP Proxy mobile app >>>>> [2]https://github.com/GayanM/IDP-Proxy-App >>>>> >>>>> Sample Client Application >>>>> [3] https://github.com/GayanM/IDP-Consumer-Samples >>>>> >>>>> I will provide a readme once final review is done. >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Mar 11, 2014 at 12:16 PM, Shanmugarajah Sinnathamby < >>>>> s...@wso2.com> wrote: >>>>> >>>>>> Hi Prabath, >>>>>> >>>>>> 1. Can't we use the implicit grant type instead of *Authorization >>>>>> code . * >>>>>> >>>>>> >>>>>> - *Authorization Code* for apps running on a web >>>>>> server<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps> >>>>>> - *Implicit* for >>>>>> browser-based<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps> >>>>>> or mobile >>>>>> apps<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#mobile-apps> >>>>>> >>>>>> Any reason why it can't be used. >>>>>> Is that because we use a proxy app and client app ? >>>>>> >>>>>> 2. Also can't we eliminate the use of web view. Rather use direct >>>>>> calls ? >>>>>> >>>>>> 3. Also can we have a custom grant type for mobile application , so >>>>>> that same level of security is achieved ? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Mar 10, 2014 at 10:39 PM, Chan <duli...@wso2.com> wrote: >>>>>> >>>>>>> IMO we don't revoke mobile app's Consumer key and Consumer secret >>>>>>> but revokes the Access token of a user. Next step for this integration >>>>>>> is >>>>>>> to map access tokens that have been issued for devices. With this >>>>>>> integration EMM can revoke access of a mobile device from enterprise >>>>>>> resources (APIs) completely by coordinating with IS. >>>>>>> >>>>>>> Cheers~ >>>>>>> >>>>>>> >>>>>>> On Mon, Mar 10, 2014 at 6:10 PM, Suresh Attanayaka >>>>>>> <sur...@wso2.com>wrote: >>>>>>> >>>>>>>> Hi Manjula, >>>>>>>> >>>>>>>> Let me answer inline, >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake < >>>>>>>> manju...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> How do we store client secret and access tokens in mobile >>>>>>>>> application? Have we encrypted the client secret? >>>>>>>>> >>>>>>>> We can let the mobile app developer to implement his own mechanism >>>>>>>> for this, or if we are supporting this at the SDK, we can use a >>>>>>>> password to >>>>>>>> encrypt the client secrete. >>>>>>>> >>>>>>>> In case of mobile device is lost, how do we remove the mobile >>>>>>>>> application subscription from OAuth server without affecting to other >>>>>>>>> mobile devices which uses same application? Do we generate the >>>>>>>>> applicationId together with a unique mobile Id? >>>>>>>>> >>>>>>>> >>>>>>>> User can always revoke the tokens issued for the application. We >>>>>>>> can let each application to have its own client-key, client-secrete as >>>>>>>> well >>>>>>>> using dynamic client registration. >>>>>>>> >>>>>>>> >>>>>>>>> Is the mobile IDP app code signed by a trusted cert? How does the >>>>>>>>> trust relationship works with mobile IDP and WSO2IS? >>>>>>>>> >>>>>>>> >>>>>>>> WSO2IS does not have to trust the proxy IDP in the mobile. IS will >>>>>>>> always validate client-key, client-secrete and will check user >>>>>>>> authentication at logins. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> thank you. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana <ga...@wso2.com >>>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> Hi Nira, >>>>>>>>>> >>>>>>>>>> Reason to do that way is normally client secret does not share >>>>>>>>>> with any other party >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >>>>>>>>>> niran...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Gayan, >>>>>>>>>>> >>>>>>>>>>> Here the IDP proxy app is only used to get the authorization >>>>>>>>>>> code from the WSO2 IS and pass it to the SDK. After which the SDK is >>>>>>>>>>> communicates directly with the WSO2 IS to get the access token and >>>>>>>>>>> manage >>>>>>>>>>> the access token and refresh token. >>>>>>>>>>> Just a small clarification why we can't use the IDP proxy app to >>>>>>>>>>> do this, .i.e, let the IDP proxy app manage the access token and >>>>>>>>>>> refresh >>>>>>>>>>> token for each app. Therefore cutting off the connection between >>>>>>>>>>> the SDK >>>>>>>>>>> and the WSO2 IS. Here if the access token expires then the SDK will >>>>>>>>>>> call >>>>>>>>>>> the IDP proxy app to get the token refreshed. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana < >>>>>>>>>>> ga...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Image attached >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana < >>>>>>>>>>>> ga...@wso2.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi All, >>>>>>>>>>>>> >>>>>>>>>>>>> Problem: Implement SSO for enterprise mobile apps >>>>>>>>>>>>> >>>>>>>>>>>>> The idea is to provide SDK for mobile apps developers within >>>>>>>>>>>>> the organization, then they can integrate SDK inside the >>>>>>>>>>>>> application and >>>>>>>>>>>>> implement SSO across required applications. >>>>>>>>>>>>> >>>>>>>>>>>>> Provide (SDK + Mobile IDP proxy app) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> To achieve above purpose we plan to utilize oauth 2.0 with >>>>>>>>>>>>> *Authorization >>>>>>>>>>>>> code* grant type. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Briefly Explaining message flow : >>>>>>>>>>>>> >>>>>>>>>>>>> Initially new application has to be registered in WSO2 IS >>>>>>>>>>>>> under Oauth management and obtain client_key, client_secret, >>>>>>>>>>>>> Access Token >>>>>>>>>>>>> Url and Authorize Url >>>>>>>>>>>>> >>>>>>>>>>>>> 1. SDK initiate the process by sending client_key, >>>>>>>>>>>>> redirect_url and scope to mobile IDP proxy app >>>>>>>>>>>>> >>>>>>>>>>>>> 2. IDP proxy app obtain Authorization code >>>>>>>>>>>>> >>>>>>>>>>>>> 3. SDK (in side mobile app) receive Authorization code >>>>>>>>>>>>> >>>>>>>>>>>>> 4. SDK send second request directly to WSO2 IS with >>>>>>>>>>>>> Authorization code, client secret and redirect_url >>>>>>>>>>>>> >>>>>>>>>>>>> 5. SDK obtain access token >>>>>>>>>>>>> >>>>>>>>>>>>> 6. Mobile app pass access token to resource server >>>>>>>>>>>>> >>>>>>>>>>>>> 7. Resource server contact IPD and validate access token >>>>>>>>>>>>> >>>>>>>>>>>>> This is much similar to Facebook approach where facebook >>>>>>>>>>>>> application act as mobile IDP proxy app and they provide SDK to >>>>>>>>>>>>> develop >>>>>>>>>>>>> apps. All your suggestions are welcome. >>>>>>>>>>>>> -- >>>>>>>>>>>>> Gayan Gunawardana >>>>>>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>>>>>>> Email: ga...@wso2.com >>>>>>>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Gayan Gunawardana >>>>>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>>>>>> Email: ga...@wso2.com >>>>>>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Niranjan Karunanandham* >>>>>>>>>>> Senior Software Engineer - WSO2 Inc. >>>>>>>>>>> WSO2 Inc.: http://www.wso2.com >>>>>>>>>>> M: +94 777 749 661 <http:///> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Gayan Gunawardana >>>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>>>> Email: ga...@wso2.com >>>>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> Architecture@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manjula Rathnayaka >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc. >>>>>>>>> Mobile:+94 77 743 1987 >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> Architecture@wso2.org >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Suresh Attanayake >>>>>>>> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >>>>>>>> Blog : http://sureshatt.blogspot.com/ >>>>>>>> Web : http://www.ssoarcade.com/ >>>>>>>> Facebook : https://www.facebook.com/IdentityWorld >>>>>>>> Twitter : https://twitter.com/sureshatt >>>>>>>> LinkedIn : http://lk.linkedin.com/in/sureshatt >>>>>>>> Mobile : +94755012060 >>>>>>>> Mobile : +016166171172 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Chan (Dulitha Wijewantha) >>>>>>> Software Engineer - Mobile Development >>>>>>> WSO2Mobile >>>>>>> Lean.Enterprise.Mobileware >>>>>>> * ~Email duli...@wso2.com <duli...@wso2mobile.com>* >>>>>>> * ~Mobile +94712112165 <%2B94712112165>* >>>>>>> * ~Website dulitha.me <http://dulitha.me>* >>>>>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>>>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Shanmugarajah (Shan)* >>>>>> Director Architecture, Enterprise Mobility >>>>>> WSO2, Inc.; http://wso2.com >>>>>> Email: s...@wso2.com >>>>>> Mobile : +94777748260 >>>>>> Blog: http://shanfour.blogspot.com >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: ga...@wso2.com >>>>> Mobile: +94 (71) 8020933 >>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Twitter : @prabath >>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://blog.api-security.org >>>> >>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: ga...@wso2.com >>> Mobile: +94 (71) 8020933 >>> Blog: http://gayanj2ee.blogspot.com/ >>> >> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> Blog: http://gayanj2ee.blogspot.com/ >> > > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: ga...@wso2.com > Mobile: +94 (71) 8020933 > Blog: http://gayanj2ee.blogspot.com/ > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933 Blog: http://gayanj2ee.blogspot.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
