Hi All, Still code with on going development, but any body who interesting can try it
Android SDK [1] https://github.com/GayanM/android-idp-sdk IDP Proxy mobile app [2]https://github.com/GayanM/IDP-Proxy-App Sample Client Application [3] https://github.com/GayanM/IDP-Consumer-Samples I will provide a readme once final review is done. On Tue, Mar 11, 2014 at 12:16 PM, Shanmugarajah Sinnathamby <[email protected]>wrote: > Hi Prabath, > > 1. Can't we use the implicit grant type instead of *Authorization code > . * > > > - *Authorization Code* for apps running on a web > server<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps> > - *Implicit* for > browser-based<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps> > or mobile > apps<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#mobile-apps> > > Any reason why it can't be used. > Is that because we use a proxy app and client app ? > > 2. Also can't we eliminate the use of web view. Rather use direct calls ? > > 3. Also can we have a custom grant type for mobile application , so that > same level of security is achieved ? > > > > > On Mon, Mar 10, 2014 at 10:39 PM, Chan <[email protected]> wrote: > >> IMO we don't revoke mobile app's Consumer key and Consumer secret but >> revokes the Access token of a user. Next step for this integration is to >> map access tokens that have been issued for devices. With this integration >> EMM can revoke access of a mobile device from enterprise resources (APIs) >> completely by coordinating with IS. >> >> Cheers~ >> >> >> On Mon, Mar 10, 2014 at 6:10 PM, Suresh Attanayaka <[email protected]>wrote: >> >>> Hi Manjula, >>> >>> Let me answer inline, >>> >>> >>> On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake >>> <[email protected]>wrote: >>> >>>> Hi all, >>>> >>>> How do we store client secret and access tokens in mobile application? >>>> Have we encrypted the client secret? >>>> >>> We can let the mobile app developer to implement his own mechanism for >>> this, or if we are supporting this at the SDK, we can use a password to >>> encrypt the client secrete. >>> >>> In case of mobile device is lost, how do we remove the mobile >>>> application subscription from OAuth server without affecting to other >>>> mobile devices which uses same application? Do we generate the >>>> applicationId together with a unique mobile Id? >>>> >>> >>> User can always revoke the tokens issued for the application. We can let >>> each application to have its own client-key, client-secrete as well using >>> dynamic client registration. >>> >>> >>>> Is the mobile IDP app code signed by a trusted cert? How does the trust >>>> relationship works with mobile IDP and WSO2IS? >>>> >>> >>> WSO2IS does not have to trust the proxy IDP in the mobile. IS will >>> always validate client-key, client-secrete and will check user >>> authentication at logins. >>> >>> >>>> >>>> thank you. >>>> >>>> >>>> On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana <[email protected]>wrote: >>>> >>>>> Hi Nira, >>>>> >>>>> Reason to do that way is normally client secret does not share with >>>>> any other party >>>>> >>>>> >>>>> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Gayan, >>>>>> >>>>>> Here the IDP proxy app is only used to get the authorization code >>>>>> from the WSO2 IS and pass it to the SDK. After which the SDK is >>>>>> communicates directly with the WSO2 IS to get the access token and manage >>>>>> the access token and refresh token. >>>>>> Just a small clarification why we can't use the IDP proxy app to do >>>>>> this, .i.e, let the IDP proxy app manage the access token and refresh >>>>>> token >>>>>> for each app. Therefore cutting off the connection between the SDK and >>>>>> the >>>>>> WSO2 IS. Here if the access token expires then the SDK will call the IDP >>>>>> proxy app to get the token refreshed. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana <[email protected]>wrote: >>>>>> >>>>>>> Image attached >>>>>>> >>>>>>> >>>>>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana >>>>>>> <[email protected]>wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Problem: Implement SSO for enterprise mobile apps >>>>>>>> >>>>>>>> The idea is to provide SDK for mobile apps developers within the >>>>>>>> organization, then they can integrate SDK inside the application and >>>>>>>> implement SSO across required applications. >>>>>>>> >>>>>>>> Provide (SDK + Mobile IDP proxy app) >>>>>>>> >>>>>>>> >>>>>>>> To achieve above purpose we plan to utilize oauth 2.0 with >>>>>>>> *Authorization >>>>>>>> code* grant type. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Briefly Explaining message flow : >>>>>>>> >>>>>>>> Initially new application has to be registered in WSO2 IS under >>>>>>>> Oauth management and obtain client_key, client_secret, Access Token >>>>>>>> Url and >>>>>>>> Authorize Url >>>>>>>> >>>>>>>> 1. SDK initiate the process by sending client_key, redirect_url and >>>>>>>> scope to mobile IDP proxy app >>>>>>>> >>>>>>>> 2. IDP proxy app obtain Authorization code >>>>>>>> >>>>>>>> 3. SDK (in side mobile app) receive Authorization code >>>>>>>> >>>>>>>> 4. SDK send second request directly to WSO2 IS with Authorization >>>>>>>> code, client secret and redirect_url >>>>>>>> >>>>>>>> 5. SDK obtain access token >>>>>>>> >>>>>>>> 6. Mobile app pass access token to resource server >>>>>>>> >>>>>>>> 7. Resource server contact IPD and validate access token >>>>>>>> >>>>>>>> This is much similar to Facebook approach where facebook >>>>>>>> application act as mobile IDP proxy app and they provide SDK to develop >>>>>>>> apps. All your suggestions are welcome. >>>>>>>> -- >>>>>>>> Gayan Gunawardana >>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>> Email: [email protected] >>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Gayan Gunawardana >>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>> Email: [email protected] >>>>>>> Mobile: +94 (71) 8020933 >>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Niranjan Karunanandham* >>>>>> Senior Software Engineer - WSO2 Inc. >>>>>> WSO2 Inc.: http://www.wso2.com >>>>>> M: +94 777 749 661 <http:///> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: [email protected] >>>>> Mobile: +94 (71) 8020933 >>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Manjula Rathnayaka >>>> Software Engineer >>>> WSO2, Inc. >>>> Mobile:+94 77 743 1987 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Suresh Attanayake >>> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >>> Blog : http://sureshatt.blogspot.com/ >>> Web : http://www.ssoarcade.com/ >>> Facebook : https://www.facebook.com/IdentityWorld >>> Twitter : https://twitter.com/sureshatt >>> LinkedIn : http://lk.linkedin.com/in/sureshatt >>> Mobile : +94755012060 >>> Mobile : +016166171172 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Chan (Dulitha Wijewantha) >> Software Engineer - Mobile Development >> WSO2Mobile >> Lean.Enterprise.Mobileware >> * ~Email [email protected] <[email protected]>* >> * ~Mobile +94712112165 <%2B94712112165>* >> * ~Website dulitha.me <http://dulitha.me>* >> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Shanmugarajah (Shan)* > Director Architecture, Enterprise Mobility > WSO2, Inc.; http://wso2.com > Email: [email protected] > Mobile : +94777748260 > Blog: http://shanfour.blogspot.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933 Blog: http://gayanj2ee.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
