Hi Gayan, +1 for option 3. Securing data in the mobile device is a vendor-specific thing. You can find some information in [1] about android data security.
[1] https://developer.android.com/training/articles/security-tips.html Thanks Godwin On Mon, Dec 18, 2017 at 2:50 PM, Gayan Gunawardana <[email protected]> wrote: > Hi All, > > In Identity Server DCR endpoints are secured with pluggable security layer > where we can use Basic Authentication, Oauth, Certificate based > authentication and any custom authentication. We have below evaluation on > each method > > 1. Basic Authentication: From security perspective its clearly not > applicable to embed super tenant or tenant credentials into native > application. What is feasible here is to take end user credentials in run > time and invoke DCR end point with end user credentials (need to set > correct user permission to invoke DCR end point) > > 2. Certificate based Authentication: This is a good option but have few > problems how to distribute certificate and also other application can > access key chain which will be a security vulnerability (need to check with > mobile expert) > > 3. Oauth based Authentication: Securing DCR endpoint with initial access > token is a practice coming from DCR specification but the problem is how to > store this initial access token securely in mobile application. > > WDYT? > > Thanks, > Gayan > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Godwin Amila Shrimal* Associate Technical Lead WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *https://www.linkedin.com/in/godwin-amila-2ba26844/ <https://www.linkedin.com/in/godwin-amila-2ba26844/>* twitter: https://twitter.com/godwinamila <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
