Blogginlägg -

Mobile app authentication by using Hybrid Access Gateway

Traditionally authentication in mobile apps is not much different from authentication in web applications. However there are some key differences in mobile apps

  • The UI is not build up on the server side so any changes to the UI (e.g. new authentication methods) requires new version of the application to be deployed. These kinds of things take time and focus from the actual app development.
  • For web application we have used federation (SAML) for years to handoff authentication to another server so that our web application can focus on its main responsibilities. Mobile apps have a hard time to integrate with these flows (Redirect and Post bindings).
  • There is also the difference that when using mobile apps the user does not expect to login every time that he opens the app, since it is his device he expects to always be logged in but maybe not with full access, e.g. he might expect read access but want to get prompted for authentication for sensitive operations such as transfer money.

Figure 1: Classic mobile application scenario

Key points when developing a mobile application is that

  • You want to be able to use the same user base and same password as for your web users there should not be a need to learn new passwords or new authentication methods i.e. authentication in mobile apps must go in line with current authentication.
  • You want to have long lived sessions but with limited access, this is solved in OAuth2 with scopes
  • You want to move the authentication flows away from the app so that new authentication methods do not require changes in the application and so that you can use federated authentication such as SAML.
  • You do not want your application to store the users password locally neither to send it in HTTP basic header.
  • You want to be able turn of access for a certain app without impact on other connected apps or be forced to change your credentials
  • You want to enable multifactor authentication without struggling with all authentication flows in your app.
  • You want to give the mobile app delegated access and not full access to your user account, i.e. provide limited access.
  • You don’t want to distribute you credentials and store them in mobile apps

Hybrid Access Gateway can solve those issues in several different ways

Putting the API powering the application behind (proxy solution) the Hybrid Access Gateway can solve all these problems.

Figure 2: 1. The user is directed to the Access Gateway that will manage authentication and access control. 2. Userauthenticates and approves app to access API with requested scope. 3. User is directed back with a token. 4. App uses the token to access the API

Figure 3: Much responsibilities handed over to the Access Gateway

Then if one prefers not to proxy the application but still handover the authentication and authorization challenges to the access gateway we support token introspection.

Figure 4: Using introspection to separate API and Access Gateway

Finally the Access Gateway can do this for a whole set of applications and API providing a single point of audit.

Figure 5: Managing authentication and authorization for multiple apps with the Access Gateway

Ämnen

  • Datasäkerhet

Kategorier

  • hag
  • hybrid access gateway
  • authentication

Kontakter

Relaterat innehåll

  • The Hacked Jeep is not alone

    As I wrote about in the blog post “Demystifying Security and Identities for Internet of Things” it is essential to implement security by design.

  • Demystifying Security and Identities for Internet of Things

    Regardless of where you believe IoT is on the hype cycle you need to start planning on how you shall take control over the security of your IoT scenario otherwise you will find your self in a situation by far harder to manage than any change you have previously faced.

  • The SCIM standards just grew up to become RFC's

    Integrity and simplicity for both users and IT-departments just took a huge step forward on the Internet. The SCIM specifications, System for Cross-Domain Identity Management, are now published as publications by the Internet Engineering Taskforce (IETF) as RFC7643 and RFC7644. At neXus we are super proud because we have been playing a key part of the specifications.

  • Personal Integrity and Identities in the Connected World

    The Internet of Things, The Internet of Everything, the Connected World or what ever you call it means that your identity will interact with an ever-increasing number of other objects, objects that will store your identity information – information you most likely would like to control and determine who does what with it.

  • The world needs dynamic identities

    At neXus we are profoundly convinced that Identity-based Security is the solution to meet security requirements and yet at the same enable you to take full advantage of the opportunities that lays in front of you today and in the future, new opportunities that are created when the Physical and Digital Worlds intertwine

  • neXus TruID for Blackberry 10

    Using your mobile device as a token to enable strong two factor authentication for your applications is really user convenient.

  • The IETF #93 meeting is wrapping up and it was a great week

    An very intensive Internet Engineering Task Force (IETF) week in Prague is just winding down. It’s been a great week in warm and welcoming Prague. IETF works on the specifications that together form the Internet and IETF attendees meets three times a year to try to make the internet, slowly but consistently, a better place.

Fyll i din epostadress för att följa Nexus Group

När du väljer att skapa ett konto och följa ett nyhetsrum kommer dina personuppgifter behandlas av oss och av ägaren av nyhetsrummet för att du ska kunna motta nyheter och uppdateringar enligt dina bevakningsinställningar.

För att läsa mer om detta, var vänlig läs vår Integritetspolicy som berör vår behandling av dina personuppgifter, och Integritetspolicy för Contacts som berör behandlingen av dina personuppgifter från ägaren av nyhetsrummet du följer.

Vänligen notera att våra Användarvillkor gäller alla våra tjänster.

Du kan dra tillbaka ditt samtycke när som helst genom att avregistrera dig eller genom att ta bort ditt konto.
Kolla din inkorg

Mejl skickat till __email__. Klicka på länken i mejlet för att följa Nexus Group.

Okej