@Gayan: But in this case the IDP Proxy App belongs to WSO2 IS and we will not store the client secret, only the client key, access token and refresh token will be stored. Here the access token will only be sent to the SDK and if the access token times out, then the SDK will communicate with the IDP Proxy App, which in-turn will communicate with the WSO2 IS to get the token refreshed. In this case, when the IDP Proxy App is refreshing an app's access token, it can also check if the Refresh Token for other apps is about to time out and get those refresh tokens refreshed.
On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake <[email protected]>wrote: > Hi all, > > How do we store client secret and access tokens in mobile application? > Have we encrypted the client secret? > In case of mobile device is lost, how do we remove the mobile application > subscription from OAuth server without affecting to other mobile devices > which uses same application? Do we generate the applicationId together with > a unique mobile Id? > Is the mobile IDP app code signed by a trusted cert? How does the trust > relationship works with mobile IDP and WSO2IS? > > thank you. > > > On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana <[email protected]> wrote: > >> Hi Nira, >> >> Reason to do that way is normally client secret does not share with any >> other party >> >> >> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >> [email protected]> wrote: >> >>> Hi Gayan, >>> >>> Here the IDP proxy app is only used to get the authorization code from >>> the WSO2 IS and pass it to the SDK. After which the SDK is communicates >>> directly with the WSO2 IS to get the access token and manage the access >>> token and refresh token. >>> Just a small clarification why we can't use the IDP proxy app to do >>> this, .i.e, let the IDP proxy app manage the access token and refresh token >>> for each app. Therefore cutting off the connection between the SDK and the >>> WSO2 IS. Here if the access token expires then the SDK will call the IDP >>> proxy app to get the token refreshed. >>> >>> >>> >>> >>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana <[email protected]>wrote: >>> >>>> Image attached >>>> >>>> >>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana <[email protected]>wrote: >>>> >>>>> Hi All, >>>>> >>>>> Problem: Implement SSO for enterprise mobile apps >>>>> >>>>> The idea is to provide SDK for mobile apps developers within the >>>>> organization, then they can integrate SDK inside the application and >>>>> implement SSO across required applications. >>>>> >>>>> Provide (SDK + Mobile IDP proxy app) >>>>> >>>>> >>>>> To achieve above purpose we plan to utilize oauth 2.0 with *Authorization >>>>> code* grant type. >>>>> >>>>> >>>>> >>>>> Briefly Explaining message flow : >>>>> >>>>> Initially new application has to be registered in WSO2 IS under Oauth >>>>> management and obtain client_key, client_secret, Access Token Url and >>>>> Authorize Url >>>>> >>>>> 1. SDK initiate the process by sending client_key, redirect_url and >>>>> scope to mobile IDP proxy app >>>>> >>>>> 2. IDP proxy app obtain Authorization code >>>>> >>>>> 3. SDK (in side mobile app) receive Authorization code >>>>> >>>>> 4. SDK send second request directly to WSO2 IS with Authorization >>>>> code, client secret and redirect_url >>>>> >>>>> 5. SDK obtain access token >>>>> >>>>> 6. Mobile app pass access token to resource server >>>>> >>>>> 7. Resource server contact IPD and validate access token >>>>> >>>>> This is much similar to Facebook approach where facebook >>>>> application act as mobile IDP proxy app and they provide SDK to develop >>>>> apps. All your suggestions are welcome. >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: [email protected] >>>>> Mobile: +94 (71) 8020933 >>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>> >>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: [email protected] >>>> Mobile: +94 (71) 8020933 >>>> Blog: http://gayanj2ee.blogspot.com/ >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> >>> *Niranjan Karunanandham* >>> Senior Software Engineer - WSO2 Inc. >>> WSO2 Inc.: http://www.wso2.com >>> M: +94 777 749 661 <http:///> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> Blog: http://gayanj2ee.blogspot.com/ >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Manjula Rathnayaka > Software Engineer > WSO2, Inc. > Mobile:+94 77 743 1987 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Niranjan Karunanandham* Senior Software Engineer - WSO2 Inc. WSO2 Inc.: http://www.wso2.com M: +94 777 749 661 <http:///>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
