Hi Manjula, Let me answer inline,
On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake <[email protected]>wrote: > Hi all, > > How do we store client secret and access tokens in mobile application? > Have we encrypted the client secret? > We can let the mobile app developer to implement his own mechanism for this, or if we are supporting this at the SDK, we can use a password to encrypt the client secrete. In case of mobile device is lost, how do we remove the mobile application > subscription from OAuth server without affecting to other mobile devices > which uses same application? Do we generate the applicationId together with > a unique mobile Id? > User can always revoke the tokens issued for the application. We can let each application to have its own client-key, client-secrete as well using dynamic client registration. > Is the mobile IDP app code signed by a trusted cert? How does the trust > relationship works with mobile IDP and WSO2IS? > WSO2IS does not have to trust the proxy IDP in the mobile. IS will always validate client-key, client-secrete and will check user authentication at logins. > > thank you. > > > On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana <[email protected]> wrote: > >> Hi Nira, >> >> Reason to do that way is normally client secret does not share with any >> other party >> >> >> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >> [email protected]> wrote: >> >>> Hi Gayan, >>> >>> Here the IDP proxy app is only used to get the authorization code from >>> the WSO2 IS and pass it to the SDK. After which the SDK is communicates >>> directly with the WSO2 IS to get the access token and manage the access >>> token and refresh token. >>> Just a small clarification why we can't use the IDP proxy app to do >>> this, .i.e, let the IDP proxy app manage the access token and refresh token >>> for each app. Therefore cutting off the connection between the SDK and the >>> WSO2 IS. Here if the access token expires then the SDK will call the IDP >>> proxy app to get the token refreshed. >>> >>> >>> >>> >>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana <[email protected]>wrote: >>> >>>> Image attached >>>> >>>> >>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana <[email protected]>wrote: >>>> >>>>> Hi All, >>>>> >>>>> Problem: Implement SSO for enterprise mobile apps >>>>> >>>>> The idea is to provide SDK for mobile apps developers within the >>>>> organization, then they can integrate SDK inside the application and >>>>> implement SSO across required applications. >>>>> >>>>> Provide (SDK + Mobile IDP proxy app) >>>>> >>>>> >>>>> To achieve above purpose we plan to utilize oauth 2.0 with *Authorization >>>>> code* grant type. >>>>> >>>>> >>>>> >>>>> Briefly Explaining message flow : >>>>> >>>>> Initially new application has to be registered in WSO2 IS under Oauth >>>>> management and obtain client_key, client_secret, Access Token Url and >>>>> Authorize Url >>>>> >>>>> 1. SDK initiate the process by sending client_key, redirect_url and >>>>> scope to mobile IDP proxy app >>>>> >>>>> 2. IDP proxy app obtain Authorization code >>>>> >>>>> 3. SDK (in side mobile app) receive Authorization code >>>>> >>>>> 4. SDK send second request directly to WSO2 IS with Authorization >>>>> code, client secret and redirect_url >>>>> >>>>> 5. SDK obtain access token >>>>> >>>>> 6. Mobile app pass access token to resource server >>>>> >>>>> 7. Resource server contact IPD and validate access token >>>>> >>>>> This is much similar to Facebook approach where facebook >>>>> application act as mobile IDP proxy app and they provide SDK to develop >>>>> apps. All your suggestions are welcome. >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: [email protected] >>>>> Mobile: +94 (71) 8020933 >>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>> >>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: [email protected] >>>> Mobile: +94 (71) 8020933 >>>> Blog: http://gayanj2ee.blogspot.com/ >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> >>> *Niranjan Karunanandham* >>> Senior Software Engineer - WSO2 Inc. >>> WSO2 Inc.: http://www.wso2.com >>> M: +94 777 749 661 <http:///> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> Blog: http://gayanj2ee.blogspot.com/ >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Manjula Rathnayaka > Software Engineer > WSO2, Inc. > Mobile:+94 77 743 1987 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Suresh Attanayake Senior Software Engineer; WSO2 Inc. http://wso2.com/ Blog : http://sureshatt.blogspot.com/ Web : http://www.ssoarcade.com/ Facebook : https://www.facebook.com/IdentityWorld Twitter : https://twitter.com/sureshatt LinkedIn : http://lk.linkedin.com/in/sureshatt Mobile : +94755012060 Mobile : +016166171172
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
