IMO we don't revoke mobile app's Consumer key and Consumer secret but revokes the Access token of a user. Next step for this integration is to map access tokens that have been issued for devices. With this integration EMM can revoke access of a mobile device from enterprise resources (APIs) completely by coordinating with IS.
Cheers~ On Mon, Mar 10, 2014 at 6:10 PM, Suresh Attanayaka <[email protected]> wrote: > Hi Manjula, > > Let me answer inline, > > > On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake <[email protected]>wrote: > >> Hi all, >> >> How do we store client secret and access tokens in mobile application? >> Have we encrypted the client secret? >> > We can let the mobile app developer to implement his own mechanism for > this, or if we are supporting this at the SDK, we can use a password to > encrypt the client secrete. > > In case of mobile device is lost, how do we remove the mobile application >> subscription from OAuth server without affecting to other mobile devices >> which uses same application? Do we generate the applicationId together with >> a unique mobile Id? >> > > User can always revoke the tokens issued for the application. We can let > each application to have its own client-key, client-secrete as well using > dynamic client registration. > > >> Is the mobile IDP app code signed by a trusted cert? How does the trust >> relationship works with mobile IDP and WSO2IS? >> > > WSO2IS does not have to trust the proxy IDP in the mobile. IS will always > validate client-key, client-secrete and will check user authentication at > logins. > > >> >> thank you. >> >> >> On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana <[email protected]>wrote: >> >>> Hi Nira, >>> >>> Reason to do that way is normally client secret does not share with any >>> other party >>> >>> >>> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >>> [email protected]> wrote: >>> >>>> Hi Gayan, >>>> >>>> Here the IDP proxy app is only used to get the authorization code from >>>> the WSO2 IS and pass it to the SDK. After which the SDK is communicates >>>> directly with the WSO2 IS to get the access token and manage the access >>>> token and refresh token. >>>> Just a small clarification why we can't use the IDP proxy app to do >>>> this, .i.e, let the IDP proxy app manage the access token and refresh token >>>> for each app. Therefore cutting off the connection between the SDK and the >>>> WSO2 IS. Here if the access token expires then the SDK will call the IDP >>>> proxy app to get the token refreshed. >>>> >>>> >>>> >>>> >>>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana <[email protected]>wrote: >>>> >>>>> Image attached >>>>> >>>>> >>>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana <[email protected]>wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> Problem: Implement SSO for enterprise mobile apps >>>>>> >>>>>> The idea is to provide SDK for mobile apps developers within the >>>>>> organization, then they can integrate SDK inside the application and >>>>>> implement SSO across required applications. >>>>>> >>>>>> Provide (SDK + Mobile IDP proxy app) >>>>>> >>>>>> >>>>>> To achieve above purpose we plan to utilize oauth 2.0 with *Authorization >>>>>> code* grant type. >>>>>> >>>>>> >>>>>> >>>>>> Briefly Explaining message flow : >>>>>> >>>>>> Initially new application has to be registered in WSO2 IS under Oauth >>>>>> management and obtain client_key, client_secret, Access Token Url and >>>>>> Authorize Url >>>>>> >>>>>> 1. SDK initiate the process by sending client_key, redirect_url and >>>>>> scope to mobile IDP proxy app >>>>>> >>>>>> 2. IDP proxy app obtain Authorization code >>>>>> >>>>>> 3. SDK (in side mobile app) receive Authorization code >>>>>> >>>>>> 4. SDK send second request directly to WSO2 IS with Authorization >>>>>> code, client secret and redirect_url >>>>>> >>>>>> 5. SDK obtain access token >>>>>> >>>>>> 6. Mobile app pass access token to resource server >>>>>> >>>>>> 7. Resource server contact IPD and validate access token >>>>>> >>>>>> This is much similar to Facebook approach where facebook >>>>>> application act as mobile IDP proxy app and they provide SDK to develop >>>>>> apps. All your suggestions are welcome. >>>>>> -- >>>>>> Gayan Gunawardana >>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>> Email: [email protected] >>>>>> Mobile: +94 (71) 8020933 >>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: [email protected] >>>>> Mobile: +94 (71) 8020933 >>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Niranjan Karunanandham* >>>> Senior Software Engineer - WSO2 Inc. >>>> WSO2 Inc.: http://www.wso2.com >>>> M: +94 777 749 661 <http:///> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> Blog: http://gayanj2ee.blogspot.com/ >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Manjula Rathnayaka >> Software Engineer >> WSO2, Inc. >> Mobile:+94 77 743 1987 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Suresh Attanayake > Senior Software Engineer; WSO2 Inc. http://wso2.com/ > Blog : http://sureshatt.blogspot.com/ > Web : http://www.ssoarcade.com/ > Facebook : https://www.facebook.com/IdentityWorld > Twitter : https://twitter.com/sureshatt > LinkedIn : http://lk.linkedin.com/in/sureshatt > Mobile : +94755012060 > Mobile : +016166171172 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Chan (Dulitha Wijewantha) Software Engineer - Mobile Development WSO2Mobile Lean.Enterprise.Mobileware * ~Email [email protected] <[email protected]>* * ~Mobile +94712112165* * ~Website dulitha.me <http://dulitha.me>* * ~Twitter @dulitharw <https://twitter.com/dulitharw>* *~SO @chan <http://stackoverflow.com/users/813471/chan>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
