Hello,

Was wondering if there are any recommendations for a scenario that involves a native mobile application? 

Scenario:

The native app development team are not so keen of using the login page that ISAM is presenting as they would like to keep everything in the app for the end-user. 

Question:

What would be a recommended way of doing this? 

Is there a native rest api or something similar that we can leverage for a user/password authentication in ISAM? So they are doing the authentication for us? Basically, I guess this would be a custom EAI solution but instead of building the api, I was wondering if there are anything out of the box that we can use? 

Thanks in advance.


------------------------------
Magnus
------------------------------

Hi Magnus

Are you aware of the IBM Verify Mobile SDK for Android and iOS?  These are available from IBM Security App Exchange.  This App Exchange search query should find them: https://exchange.xforce.ibmcloud.com/hub/?q=ibm%20verify%20sdk

Without knowing anything specific about the use case or intended solution, I would probably look at employing OAuth Resource Owner Password Credential (ROPC) as potential technique to authenticate the mobile user and enable secure access to your web resources and API's.

regards
David

------------------------------
David MOORE
------------------------------

Original Message:
Sent: 02-22-2019 05:47 AM
From: Magnus Bengtsson
Subject: ISAM Support for Native Apps

Hello,

Was wondering if there are any recommendations for a scenario that involves a native mobile application? 

Scenario:

The native app development team are not so keen of using the login page that ISAM is presenting as they would like to keep everything in the app for the end-user. 

Question:

What would be a recommended way of doing this? 

Is there a native rest api or something similar that we can leverage for a user/password authentication in ISAM? So they are doing the authentication for us? Basically, I guess this would be a custom EAI solution but instead of building the api, I was wondering if there are anything out of the box that we can use? 

Thanks in advance.


------------------------------
Magnus
------------------------------

Further to Dave's advice - there are really two common approaches to mobile application authentication.  I'll also mention a third, hybrid approach.

- One is to launch a web view to manage authentication via a web experience, making this also a request to the authorization code grant-type flow for oauth, with the redirect_uri being a custom uri scheme pointing back to your application. Many enterprise applications that want to support federation to a company's intranet login (via SAML) do this. Box, Concur, etc all do this.

- Another is to completely manage authentication UX inside the app itself. This is more common in B2C application scenarios. That's where techniques like the OAuth ROPC flow come into play.

IBM Verify itself is a bit of a hybrid. The mobile app completely manages the mobile applications authentication experience, however one major part of that experience is scanning a registration QR code which comes from a laptop/desktop browser on another device. This means that users do essentially use a web view for login, however not from within the mobile app. It's done completely external and the mobile app just scan's the code to complete registration. What IBM Verify actually does in scanning the QR code is complete an OAuth authorization code flow, so it's a bit like approach 1, but the web view is on another computer.

------------------------------
Shane Weeden
IBM
------------------------------

Original Message:
Sent: 02-24-2019 09:53 PM
From: David MOORE
Subject: ISAM Support for Native Apps

Hi Magnus

Are you aware of the IBM Verify Mobile SDK for Android and iOS?  These are available from IBM Security App Exchange.  This App Exchange search query should find them: https://exchange.xforce.ibmcloud.com/hub/?q=ibm%20verify%20sdk

Without knowing anything specific about the use case or intended solution, I would probably look at employing OAuth Resource Owner Password Credential (ROPC) as potential technique to authenticate the mobile user and enable secure access to your web resources and API's.

regards
David

------------------------------
David MOORE

Original Message:
Sent: 02-22-2019 05:47 AM
From: Magnus Bengtsson
Subject: ISAM Support for Native Apps

Hello,

Was wondering if there are any recommendations for a scenario that involves a native mobile application? 

Scenario:

The native app development team are not so keen of using the login page that ISAM is presenting as they would like to keep everything in the app for the end-user. 

Question:

What would be a recommended way of doing this? 

Is there a native rest api or something similar that we can leverage for a user/password authentication in ISAM? So they are doing the authentication for us? Basically, I guess this would be a custom EAI solution but instead of building the api, I was wondering if there are anything out of the box that we can use? 

Thanks in advance.


------------------------------
Magnus
------------------------------

Hello Shane, 

Thanks for the information.

Very helpful along with Davids post. 

Appreciate it!

Best regards
Magnus

------------------------------
Magnus
------------------------------

Original Message:
Sent: 02-24-2019 11:34 PM
From: Shane Weeden
Subject: ISAM Support for Native Apps

Further to Dave's advice - there are really two common approaches to mobile application authentication.  I'll also mention a third, hybrid approach.

- One is to launch a web view to manage authentication via a web experience, making this also a request to the authorization code grant-type flow for oauth, with the redirect_uri being a custom uri scheme pointing back to your application. Many enterprise applications that want to support federation to a company's intranet login (via SAML) do this. Box, Concur, etc all do this.

- Another is to completely manage authentication UX inside the app itself. This is more common in B2C application scenarios. That's where techniques like the OAuth ROPC flow come into play.

IBM Verify itself is a bit of a hybrid. The mobile app completely manages the mobile applications authentication experience, however one major part of that experience is scanning a registration QR code which comes from a laptop/desktop browser on another device. This means that users do essentially use a web view for login, however not from within the mobile app. It's done completely external and the mobile app just scan's the code to complete registration. What IBM Verify actually does in scanning the QR code is complete an OAuth authorization code flow, so it's a bit like approach 1, but the web view is on another computer.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: 02-24-2019 09:53 PM
From: David MOORE
Subject: ISAM Support for Native Apps

Hi Magnus

Are you aware of the IBM Verify Mobile SDK for Android and iOS?  These are available from IBM Security App Exchange.  This App Exchange search query should find them: https://exchange.xforce.ibmcloud.com/hub/?q=ibm%20verify%20sdk

Without knowing anything specific about the use case or intended solution, I would probably look at employing OAuth Resource Owner Password Credential (ROPC) as potential technique to authenticate the mobile user and enable secure access to your web resources and API's.

regards
David

------------------------------
David MOORE

Original Message:
Sent: 02-22-2019 05:47 AM
From: Magnus Bengtsson
Subject: ISAM Support for Native Apps

Hello,

Was wondering if there are any recommendations for a scenario that involves a native mobile application? 

Scenario:

The native app development team are not so keen of using the login page that ISAM is presenting as they would like to keep everything in the app for the end-user. 

Question:

What would be a recommended way of doing this? 

Is there a native rest api or something similar that we can leverage for a user/password authentication in ISAM? So they are doing the authentication for us? Basically, I guess this would be a custom EAI solution but instead of building the api, I was wondering if there are anything out of the box that we can use? 

Thanks in advance.


------------------------------
Magnus
------------------------------

Hello David,

Thanks for the reply, Ill look into these alternatives. 

Wasnt aware of the sdk that are available, good stuff. 

Best regards
Magnus

------------------------------
Magnus
------------------------------

Original Message:
Sent: 02-24-2019 09:53 PM
From: David MOORE
Subject: ISAM Support for Native Apps

Hi Magnus

Are you aware of the IBM Verify Mobile SDK for Android and iOS?  These are available from IBM Security App Exchange.  This App Exchange search query should find them: https://exchange.xforce.ibmcloud.com/hub/?q=ibm%20verify%20sdk

Without knowing anything specific about the use case or intended solution, I would probably look at employing OAuth Resource Owner Password Credential (ROPC) as potential technique to authenticate the mobile user and enable secure access to your web resources and API's.

regards
David

------------------------------
David MOORE

Original Message:
Sent: 02-22-2019 05:47 AM
From: Magnus Bengtsson
Subject: ISAM Support for Native Apps

Hello,

Was wondering if there are any recommendations for a scenario that involves a native mobile application? 

Scenario:

The native app development team are not so keen of using the login page that ISAM is presenting as they would like to keep everything in the app for the end-user. 

Question:

What would be a recommended way of doing this? 

Is there a native rest api or something similar that we can leverage for a user/password authentication in ISAM? So they are doing the authentication for us? Basically, I guess this would be a custom EAI solution but instead of building the api, I was wondering if there are anything out of the box that we can use? 

Thanks in advance.


------------------------------
Magnus
------------------------------