What is the most suitable way to invoke DCR endpoints from native mobile application

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

What is the most suitable way to invoke DCR endpoints from native mobile application

Gayan Gunawardana
Hi All,

In Identity Server DCR endpoints are secured with pluggable security layer where we can use Basic Authentication, Oauth, Certificate based authentication and any custom authentication. We have below evaluation on each method

1. Basic Authentication: From security perspective its clearly not applicable to embed super tenant or tenant credentials into native application. What is feasible here is to take end user credentials in run time and invoke DCR end point with end user credentials (need to set correct user permission to invoke DCR end point) 

2. Certificate based Authentication: This is a good option but have few problems how to distribute certificate and also other application can access key chain which will be a security vulnerability (need to check with mobile expert)

3. Oauth based Authentication: Securing DCR endpoint with initial access token is a practice coming from DCR specification but the problem is how to store this initial access token securely in mobile application.

WDYT?

Thanks,
Gayan  

--
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: What is the most suitable way to invoke DCR endpoints from native mobile application

Godwin Shrimal
Hi Gayan,

+1 for option 3. Securing data in the mobile device is a vendor-specific thing. You can find some information in [1] about android data security.


Thanks
Godwin

On Mon, Dec 18, 2017 at 2:50 PM, Gayan Gunawardana <[hidden email]> wrote:
Hi All,

In Identity Server DCR endpoints are secured with pluggable security layer where we can use Basic Authentication, Oauth, Certificate based authentication and any custom authentication. We have below evaluation on each method

1. Basic Authentication: From security perspective its clearly not applicable to embed super tenant or tenant credentials into native application. What is feasible here is to take end user credentials in run time and invoke DCR end point with end user credentials (need to set correct user permission to invoke DCR end point) 

2. Certificate based Authentication: This is a good option but have few problems how to distribute certificate and also other application can access key chain which will be a security vulnerability (need to check with mobile expert)

3. Oauth based Authentication: Securing DCR endpoint with initial access token is a practice coming from DCR specification but the problem is how to store this initial access token securely in mobile application.

WDYT?

Thanks,
Gayan  

--
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Godwin Amila Shrimal
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94772264165

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: What is the most suitable way to invoke DCR endpoints from native mobile application

Firzhan Naqash
Hi Gayan,

I would also prefer the 3rd option. Different vendors provide different methodologies to secure information in the mobile devices as in Android, AccountManaer[1]  class provides secured access to the centralized registry and applications use this class to store it's secured credentials.



Regards,
Firzhan


mobile: <a href="tel:%28%2B94%29%2071%205247551" value="+94715247551" style="color:rgb(17,85,204)" target="_blank">(+94) 77 9785674| blog: http://firzhanblogger.blogspot.com/ 

On Mon, Dec 18, 2017 at 3:07 PM, Godwin Shrimal <[hidden email]> wrote:
Hi Gayan,

+1 for option 3. Securing data in the mobile device is a vendor-specific thing. You can find some information in [1] about android data security.


Thanks
Godwin

On Mon, Dec 18, 2017 at 2:50 PM, Gayan Gunawardana <[hidden email]> wrote:
Hi All,

In Identity Server DCR endpoints are secured with pluggable security layer where we can use Basic Authentication, Oauth, Certificate based authentication and any custom authentication. We have below evaluation on each method

1. Basic Authentication: From security perspective its clearly not applicable to embed super tenant or tenant credentials into native application. What is feasible here is to take end user credentials in run time and invoke DCR end point with end user credentials (need to set correct user permission to invoke DCR end point) 

2. Certificate based Authentication: This is a good option but have few problems how to distribute certificate and also other application can access key chain which will be a security vulnerability (need to check with mobile expert)

3. Oauth based Authentication: Securing DCR endpoint with initial access token is a practice coming from DCR specification but the problem is how to store this initial access token securely in mobile application.

WDYT?

Thanks,
Gayan  

--
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Godwin Amila Shrimal
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94772264165

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: What is the most suitable way to invoke DCR endpoints from native mobile application

Firzhan Naqash

Regards,
Firzhan


mobile: <a href="tel:%28%2B94%29%2071%205247551" value="+94715247551" style="color:rgb(17,85,204)" target="_blank">(+94) 77 9785674| blog: http://firzhanblogger.blogspot.com/ 

On Tue, Dec 19, 2017 at 7:38 AM, Firzhan Naqash <[hidden email]> wrote:
Hi Gayan,

I would also prefer the 3rd option. Different vendors provide different methodologies to secure information in the mobile devices as in Android, AccountManaer[1]  class provides secured access to the centralized registry and applications use this class to store it's secured credentials.



Regards,
Firzhan


mobile: <a href="tel:%28%2B94%29%2071%205247551" value="+94715247551" style="color:rgb(17,85,204)" target="_blank">(+94) 77 9785674| blog: http://firzhanblogger.blogspot.com/ 

On Mon, Dec 18, 2017 at 3:07 PM, Godwin Shrimal <[hidden email]> wrote:
Hi Gayan,

+1 for option 3. Securing data in the mobile device is a vendor-specific thing. You can find some information in [1] about android data security.


Thanks
Godwin

On Mon, Dec 18, 2017 at 2:50 PM, Gayan Gunawardana <[hidden email]> wrote:
Hi All,

In Identity Server DCR endpoints are secured with pluggable security layer where we can use Basic Authentication, Oauth, Certificate based authentication and any custom authentication. We have below evaluation on each method

1. Basic Authentication: From security perspective its clearly not applicable to embed super tenant or tenant credentials into native application. What is feasible here is to take end user credentials in run time and invoke DCR end point with end user credentials (need to set correct user permission to invoke DCR end point) 

2. Certificate based Authentication: This is a good option but have few problems how to distribute certificate and also other application can access key chain which will be a security vulnerability (need to check with mobile expert)

3. Oauth based Authentication: Securing DCR endpoint with initial access token is a practice coming from DCR specification but the problem is how to store this initial access token securely in mobile application.

WDYT?

Thanks,
Gayan  

--
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Godwin Amila Shrimal
Associate Technical Lead
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94772264165

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: What is the most suitable way to invoke DCR endpoints from native mobile application

Youcef HILEM
In reply to this post by Firzhan Naqash
Hi,
Could you please tell me what to add and where to add it to implement the
3rd option (Securing DCR endpoint with initial access token)?
Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture