Hi All, These are frequently asked questions. I will try to provide answers in consecutive mails. If you have further questions or if you have good answers for existing questions please reply here
1. Reason to use Authorization code grant type 2. Advantages of having webview in IDP proxy application over native application directly calling mobile web browser i. Phishing attack ii. Problem of maintaining same session across multiple browsers iii. If user kills the browser, SSO does not work 3. How to securely store access token and client secret 4. What happen If refresh token is expired 5. Reason to use webview in IDP proxy application, why not native capabilities 6. Does it supports Logout 7. Reason to not to have code signing in IDP Proxy application and SDK 8. What happen if one client secret and client id are used by multiple applications On Sun, Mar 30, 2014 at 9:54 PM, Gayan Gunawardana <[email protected]> wrote: > Seems like it does not work with IS 4.10 properly :(. I will try to figure > out where the things going wrong. > > > On Fri, Mar 28, 2014 at 11:32 AM, Gayan Gunawardana <[email protected]>wrote: > >> Sure I will check with IS 4.1.0 >> >> >> On Fri, Mar 28, 2014 at 10:59 AM, Prabath Siriwardena >> <[email protected]>wrote: >> >>> Great..!!! Can we also start with iOS app...? >>> >>> Also - can you please test this with IS 4.1.0..? >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> On Thu, Mar 27, 2014 at 4:31 PM, Gayan Gunawardana <[email protected]>wrote: >>> >>>> Hi All, >>>> >>>> Still code with on going development, but any body who interesting can >>>> try it >>>> >>>> Android SDK >>>> [1] https://github.com/GayanM/android-idp-sdk >>>> >>>> IDP Proxy mobile app >>>> [2]https://github.com/GayanM/IDP-Proxy-App >>>> >>>> Sample Client Application >>>> [3] https://github.com/GayanM/IDP-Consumer-Samples >>>> >>>> I will provide a readme once final review is done. >>>> >>>> >>>> >>>> >>>> On Tue, Mar 11, 2014 at 12:16 PM, Shanmugarajah Sinnathamby < >>>> [email protected]> wrote: >>>> >>>>> Hi Prabath, >>>>> >>>>> 1. Can't we use the implicit grant type instead of *Authorization >>>>> code . * >>>>> >>>>> >>>>> - *Authorization Code* for apps running on a web >>>>> server<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps> >>>>> - *Implicit* for >>>>> browser-based<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps> >>>>> or mobile >>>>> apps<http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#mobile-apps> >>>>> >>>>> Any reason why it can't be used. >>>>> Is that because we use a proxy app and client app ? >>>>> >>>>> 2. Also can't we eliminate the use of web view. Rather use direct >>>>> calls ? >>>>> >>>>> 3. Also can we have a custom grant type for mobile application , so >>>>> that same level of security is achieved ? >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Mar 10, 2014 at 10:39 PM, Chan <[email protected]> wrote: >>>>> >>>>>> IMO we don't revoke mobile app's Consumer key and Consumer secret but >>>>>> revokes the Access token of a user. Next step for this integration is to >>>>>> map access tokens that have been issued for devices. With this >>>>>> integration >>>>>> EMM can revoke access of a mobile device from enterprise resources (APIs) >>>>>> completely by coordinating with IS. >>>>>> >>>>>> Cheers~ >>>>>> >>>>>> >>>>>> On Mon, Mar 10, 2014 at 6:10 PM, Suresh Attanayaka >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> Hi Manjula, >>>>>>> >>>>>>> Let me answer inline, >>>>>>> >>>>>>> >>>>>>> On Mon, Mar 10, 2014 at 4:54 PM, Manjula Rathnayake < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> How do we store client secret and access tokens in mobile >>>>>>>> application? Have we encrypted the client secret? >>>>>>>> >>>>>>> We can let the mobile app developer to implement his own mechanism >>>>>>> for this, or if we are supporting this at the SDK, we can use a >>>>>>> password to >>>>>>> encrypt the client secrete. >>>>>>> >>>>>>> In case of mobile device is lost, how do we remove the mobile >>>>>>>> application subscription from OAuth server without affecting to other >>>>>>>> mobile devices which uses same application? Do we generate the >>>>>>>> applicationId together with a unique mobile Id? >>>>>>>> >>>>>>> >>>>>>> User can always revoke the tokens issued for the application. We can >>>>>>> let each application to have its own client-key, client-secrete as well >>>>>>> using dynamic client registration. >>>>>>> >>>>>>> >>>>>>>> Is the mobile IDP app code signed by a trusted cert? How does the >>>>>>>> trust relationship works with mobile IDP and WSO2IS? >>>>>>>> >>>>>>> >>>>>>> WSO2IS does not have to trust the proxy IDP in the mobile. IS will >>>>>>> always validate client-key, client-secrete and will check user >>>>>>> authentication at logins. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> thank you. >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Mar 10, 2014 at 4:37 PM, Gayan Gunawardana >>>>>>>> <[email protected]>wrote: >>>>>>>> >>>>>>>>> Hi Nira, >>>>>>>>> >>>>>>>>> Reason to do that way is normally client secret does not share >>>>>>>>> with any other party >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Mar 10, 2014 at 4:24 PM, Niranjan Karunanandham < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Gayan, >>>>>>>>>> >>>>>>>>>> Here the IDP proxy app is only used to get the authorization code >>>>>>>>>> from the WSO2 IS and pass it to the SDK. After which the SDK is >>>>>>>>>> communicates directly with the WSO2 IS to get the access token and >>>>>>>>>> manage >>>>>>>>>> the access token and refresh token. >>>>>>>>>> Just a small clarification why we can't use the IDP proxy app to >>>>>>>>>> do this, .i.e, let the IDP proxy app manage the access token and >>>>>>>>>> refresh >>>>>>>>>> token for each app. Therefore cutting off the connection between the >>>>>>>>>> SDK >>>>>>>>>> and the WSO2 IS. Here if the access token expires then the SDK will >>>>>>>>>> call >>>>>>>>>> the IDP proxy app to get the token refreshed. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Mar 10, 2014 at 3:58 PM, Gayan Gunawardana < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Image attached >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Mar 10, 2014 at 3:51 PM, Gayan Gunawardana < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi All, >>>>>>>>>>>> >>>>>>>>>>>> Problem: Implement SSO for enterprise mobile apps >>>>>>>>>>>> >>>>>>>>>>>> The idea is to provide SDK for mobile apps developers within >>>>>>>>>>>> the organization, then they can integrate SDK inside the >>>>>>>>>>>> application and >>>>>>>>>>>> implement SSO across required applications. >>>>>>>>>>>> >>>>>>>>>>>> Provide (SDK + Mobile IDP proxy app) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> To achieve above purpose we plan to utilize oauth 2.0 with >>>>>>>>>>>> *Authorization >>>>>>>>>>>> code* grant type. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Briefly Explaining message flow : >>>>>>>>>>>> >>>>>>>>>>>> Initially new application has to be registered in WSO2 IS under >>>>>>>>>>>> Oauth management and obtain client_key, client_secret, Access >>>>>>>>>>>> Token Url and >>>>>>>>>>>> Authorize Url >>>>>>>>>>>> >>>>>>>>>>>> 1. SDK initiate the process by sending client_key, redirect_url >>>>>>>>>>>> and scope to mobile IDP proxy app >>>>>>>>>>>> >>>>>>>>>>>> 2. IDP proxy app obtain Authorization code >>>>>>>>>>>> >>>>>>>>>>>> 3. SDK (in side mobile app) receive Authorization code >>>>>>>>>>>> >>>>>>>>>>>> 4. SDK send second request directly to WSO2 IS with >>>>>>>>>>>> Authorization code, client secret and redirect_url >>>>>>>>>>>> >>>>>>>>>>>> 5. SDK obtain access token >>>>>>>>>>>> >>>>>>>>>>>> 6. Mobile app pass access token to resource server >>>>>>>>>>>> >>>>>>>>>>>> 7. Resource server contact IPD and validate access token >>>>>>>>>>>> >>>>>>>>>>>> This is much similar to Facebook approach where facebook >>>>>>>>>>>> application act as mobile IDP proxy app and they provide SDK to >>>>>>>>>>>> develop >>>>>>>>>>>> apps. All your suggestions are welcome. >>>>>>>>>>>> -- >>>>>>>>>>>> Gayan Gunawardana >>>>>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>>>>>> Email: [email protected] >>>>>>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Gayan Gunawardana >>>>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>>>>> Email: [email protected] >>>>>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Niranjan Karunanandham* >>>>>>>>>> Senior Software Engineer - WSO2 Inc. >>>>>>>>>> WSO2 Inc.: http://www.wso2.com >>>>>>>>>> M: +94 777 749 661 <http:///> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Gayan Gunawardana >>>>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>>>>> Email: [email protected] >>>>>>>>> Mobile: +94 (71) 8020933 >>>>>>>>> Blog: http://gayanj2ee.blogspot.com/ >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manjula Rathnayaka >>>>>>>> Software Engineer >>>>>>>> WSO2, Inc. >>>>>>>> Mobile:+94 77 743 1987 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Suresh Attanayake >>>>>>> Senior Software Engineer; WSO2 Inc. http://wso2.com/ >>>>>>> Blog : http://sureshatt.blogspot.com/ >>>>>>> Web : http://www.ssoarcade.com/ >>>>>>> Facebook : https://www.facebook.com/IdentityWorld >>>>>>> Twitter : https://twitter.com/sureshatt >>>>>>> LinkedIn : http://lk.linkedin.com/in/sureshatt >>>>>>> Mobile : +94755012060 >>>>>>> Mobile : +016166171172 >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Chan (Dulitha Wijewantha) >>>>>> Software Engineer - Mobile Development >>>>>> WSO2Mobile >>>>>> Lean.Enterprise.Mobileware >>>>>> * ~Email [email protected] <[email protected]>* >>>>>> * ~Mobile +94712112165 <%2B94712112165>* >>>>>> * ~Website dulitha.me <http://dulitha.me>* >>>>>> * ~Twitter @dulitharw <https://twitter.com/dulitharw>* >>>>>> *~SO @chan <http://stackoverflow.com/users/813471/chan>* >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Shanmugarajah (Shan)* >>>>> Director Architecture, Enterprise Mobility >>>>> WSO2, Inc.; http://wso2.com >>>>> Email: [email protected] >>>>> Mobile : +94777748260 >>>>> Blog: http://shanfour.blogspot.com >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: [email protected] >>>> Mobile: +94 (71) 8020933 >>>> Blog: http://gayanj2ee.blogspot.com/ >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Twitter : @prabath >>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://blog.api-security.org >>> >> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> Blog: http://gayanj2ee.blogspot.com/ >> > > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > Blog: http://gayanj2ee.blogspot.com/ > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933 Blog: http://gayanj2ee.blogspot.com/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
