data synchronization patterns in mobile application design
TRANSCRIPT
![Page 1: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/1.jpg)
Data Synchronization Patterns in Mobile Application Design
Eric MaxwellCredible Software
![Page 2: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/2.jpg)
What to Expect
Synchronizing Data
Data Format & Protocol
Efficiency
Security • Privacy • Integrity & Trust • Authentication • Authorization
![Page 3: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/3.jpg)
Example App
• Paid subscription application
• Ohio’s Premier Events
• Users can see events but not update
• Admin can update events
![Page 4: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/4.jpg)
Android Client
Login Register Find Events
![Page 5: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/5.jpg)
iOS Client
Login Register Find Events
![Page 6: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/6.jpg)
Data Format & Protocol Choice
Synchronizing Data
Data Format & Protocol
![Page 7: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/7.jpg)
Open Ecosystem
• Exposing resources to public 3rd party clients (ex. Facebook)
![Page 8: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/8.jpg)
Closed Ecosystem
• Exposing resources to clients that you also control
![Page 9: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/9.jpg)
Which approach is best?
![Page 10: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/10.jpg)
Key Questions
• What do existing systems & data look like in my organization?
• Is it vitally important that I have transaction management across various service calls?
• Do I have any other security, service discovery, delivery reliability requirements?
• How important is bandwidth?
• Are most of my clients & servers speaking the same language?
![Page 11: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/11.jpg)
RPC vs SOAP vs REST
https://dzone.com/articles/api-best-practices-plan-your
![Page 12: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/12.jpg)
Examples
https://myrestservice.com/api/events/37/registrations/128
![Page 13: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/13.jpg)
Examples
https://myrestservice.com/api/events/37/registrations/128
URI
![Page 14: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/14.jpg)
Examples
https://myrestservice.com/api/events/37/registrations/128
Nouns
![Page 15: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/15.jpg)
Examples
https://myrestservice.com/api/events/37/registrations/128
Nouns
Verbs tell what we are doing
![Page 16: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/16.jpg)
Examples
https://myrestservice.com/api/events/37/registrations/128
Depends on the verb
HTTP METHOD(verb) ACTION
GET Get registration 128 that belongs to event 37
POST Create a new registration for event 37(in this case the 128 would be omitted)
PUT Update registration 128 with new data
DELETE Delete registration 128
![Page 17: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/17.jpg)
Searching
/api/events
HTTP GET
/api/events?type=conference
Find All
Find All Events of type ‘conference’
![Page 18: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/18.jpg)
What we’ve Covered
Synchronizing Data
Data Format & Protocol
![Page 19: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/19.jpg)
Efficiency
Synchronizing Data
Data Format & Protocol
Efficiency
![Page 20: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/20.jpg)
Always use compressionAs simple as adding the following to your application.yml server: tomcat: compression: on compressableMimeTypes: application/json,application/xml,text/html,text/xml,text/plain
And saves you exponentially in data transfer with JSON.
![Page 21: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/21.jpg)
Searching
/api/events
HTTP GET
/api/events?type=conference
Find All
Find All Events of type ‘conference’
What if we want only want new Events since the last fetch?
![Page 22: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/22.jpg)
Synchronization Tokens
/api/events?after=b72cef Find All Events after this ‘token’
Sync tokens act as a bookmark for new fetches
![Page 23: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/23.jpg)
Synchronization Tokens in Action
1. HTTP GET /api/events?after=
![Page 24: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/24.jpg)
Synchronization Tokens in Action
1. HTTP GET /api/events?after=
2. Server Responds with all events & token
![Page 25: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/25.jpg)
Synchronization Tokens in Action
1. HTTP GET /api/events?after=
2. Server Responds with all events & token
3. HTTP GET /api/events?after=MToxN
![Page 26: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/26.jpg)
Synchronization Tokens in Action
1. HTTP GET /api/events?after=
4. Server Responds with events after token
2. Server Responds with all events & token
3. HTTP GET /api/events?after=MToxN
![Page 27: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/27.jpg)
Client Perspective
• Unaware of Token Meaning
• Knows how to use the token
![Page 28: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/28.jpg)
Client Perspective
• Unaware of Token Meaning
• Knows how to use the token
![Page 29: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/29.jpg)
Server Perspective
• Stateless & Client Agnostic
• If Client Sends Token
• I know how to interpret
• I know how to create tokens
![Page 30: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/30.jpg)
Server Perspective
• Stateless & Client Agnostic
• If Client Sends Token
• I know how to interpret
• I know how to create tokens
![Page 31: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/31.jpg)
Token Creation (our example)
1:1449354972621
base 64 encoded to MToxNDQ5MzU0OTcyNjIx
Token Version Last Event Result Creation Date
id summary other columns date_created
123 Codemash … 2016-01-05T08:00:00Z
![Page 32: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/32.jpg)
What we’ve covered
Synchronizing Data
Data Format & Protocol
Efficiency
![Page 33: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/33.jpg)
Security
Synchronizing Data
Data Format & Protocol
Efficiency
Security • Privacy • Integrity & Trust
![Page 34: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/34.jpg)
HTTPS - Server SSL
Scenario Goals
• Clients want to know they’re talking to the real server
• Data transferred must be kept secret
![Page 35: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/35.jpg)
HTTPS Overview
1. Client requests protected resource
2. Server presents certificate
3. Is this certificate valid, do I trust it?
5. Subsequent messages are encrypted/decrypted at each end using an agreed symmetric algorithm and key.
4. Client & Server complete SSL handshaking process
![Page 36: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/36.jpg)
HTTPS - Mutual SSL
Scenario Goals
• Clients want to know they’re talking to the real server
• Data transferred must be kept secret
• Server wants to know they’re talking to a valid client and user.
![Page 37: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/37.jpg)
HTTPS Overview
1. Client requests protected resource
2. Server presents certificate
3. Is this certificate valid, do I trust it?
5. Subsequent messages are encrypted/decrypted at each end using an agreed symmetric algorithm and key.
4. Client & Server complete SSL handshaking process
![Page 38: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/38.jpg)
HTTPS - Mutual SSL Overview
1. Client requests protected resource
2. Server presents certificate
3. Is this certificate valid, do I trust it?
7. Subsequent messages are encrypted/decrypted at each end using an agreed symmetric algorithm and key.
6. Client & Server complete SSL handshaking process
5. Is this certificate valid, do I trust it?
4. Client presents certificate
![Page 39: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/39.jpg)
What we Covered
Synchronizing Data
Data Format & Protocol
Efficiency
Security • Privacy • Integrity & Trust • Authentication • Authorization
![Page 40: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/40.jpg)
Authentication
Basic Auth
• Username:Password concatenated with a :Base 64 Encoded and put into Header like this…Authorization: Basic dGVzdFVzZXI6bXlQYXNz
![Page 41: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/41.jpg)
Authentication
Client Certificate
• Client issued an SSL Certificates which can contain user identifiable information.
• Clients send this certificate information to the server which then validates it against a list of trusted client certs.
![Page 42: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/42.jpg)
Authorization
• User - What does the user have access to do.
• Application - What information does the user want to share with us or allow us to do on their behalf
![Page 43: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/43.jpg)
User Authorization w/ Roles
Users mapped to Roles
@RolesAllowed(["ROLE_CLIENT"])class EventController { ...
@RolesAllowed([“ROLE_ADMIN"]) void save() {}
...
}
Resources Secured by Role
![Page 44: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/44.jpg)
Authorization
• User - What does the user have access to do.
• Application - What information does the user want to share with us or allow us to do on their behalf
![Page 45: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/45.jpg)
Application Authorization w/ OAuth 2.0
OAUTH 2.0
3rd Party Application (e.g. Shutterfly)
1. User signs up with Shutterfly
2. Shutterfly gives user option to load their FB photos.
3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login.
4. User decides to do this, so they click a button during Shutterfly registration.
5. User is sent to FB to authenticate and authorize Shutterfly to access their photos.
6. User is sent back to Shutterfly and Shutterfly can now access those photos.
User
![Page 46: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/46.jpg)
Application Authorization w/ OAuth 2.0
OAUTH 2.0
3rd Party Application (e.g. Shutterfly)
1. User signs up with Shutterfly
2. Shutterfly gives user option to load their FB photos.
3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login.
4. User decides to do this, so they click a button during Shutterfly registration.
5. User is sent to FB to authenticate and authorize Shutterfly to access their photos.
6. User is sent back to Shutterfly and Shutterfly can now access those photos.
User
![Page 47: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/47.jpg)
Application Authorization w/ OAuth 2.0
OAUTH 2.0
3rd Party Application (e.g. Shutterfly)
1. User signs up with Shutterfly
2. Shutterfly gives user option to load their FB photos.
3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login.
4. User decides to do this, so they click a button during Shutterfly registration.
5. User is sent to FB to authenticate and authorize Shutterfly to access their photos.
6. User is sent back to Shutterfly and Shutterfly can now access those photos.
User
![Page 48: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/48.jpg)
Application Authorization w/ OAuth 2.0
OAUTH 2.0
3rd Party Application (e.g. Shutterfly)
1. User signs up with Shutterfly
2. Shutterfly gives user option to load their FB photos.
3. May also offer option to use FB to login to Shutterfly, thereby not needing a separate Shutterfly login.
4. User decides to do this, so they click a button during Shutterfly registration.
5. User is sent to FB to authenticate and authorize Shutterfly to access their photos.
6. User is sent back to Shutterfly and Shutterfly can now access those photos.
User
![Page 49: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/49.jpg)
Actor Roles
• Resource Owner - Owner of the data (e.g. user)
• Resource Server - Server which has the resource owners data.
• Client - The application or service which wants to access the resource owners data.
• Authorization Server - The server which authorizes access to the protected resources after the owner has authenticated given consent.
• Identity Provider (IDP) - When OAuth 2 is used for authentication, the identity provider validates user credentials
![Page 50: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/50.jpg)
Shutterfly Example Actors
Client ex Shutterfly
Resource Server Authorization Server
Identity Provider ex. Facebook
Resource Owner ex. User
![Page 51: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/51.jpg)
Shutterfly Example - Registration
Client ex Shutterfly
Resource Server Authorization Server
Identity Provider ex. Facebook1. Register 2. Client Id & Secret
sent to client
![Page 52: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/52.jpg)
Key Terms
• Client Id & Client Secret - Given to the client upon registering with the authorization server
• Access Token - Created by the authorization server after the resource owner has authenticated and given permission for the client to access their data
• Scope - Defined by the resource server, it indicates what the client is authorized to do on the users behalf. It’s associated with an access token(ex: public_profile, publish_actions)
• Grant Type - Different ways to get an access token. This will often guide the flow or interaction between the actors
![Page 53: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/53.jpg)
Grant Types
• Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret
• Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser.
• Client Credentials - Provides application level (non user specific) access to the resource server.
• Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
![Page 54: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/54.jpg)
Grant Types
• Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret
• Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser.
• Client Credentials - Provides application level (non user specific) access to the resource server.
• Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
![Page 55: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/55.jpg)
Grant Types
• Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret
• Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser.
• Client Credentials - Provides application level (non user specific) access to the resource server.
• Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
![Page 56: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/56.jpg)
Grant Types
• Authorization Code - Optimized for web clients which can maintain the confidentiality of their client secret
• Implicit - Optimized for public clients that cannot secure their client secret. Common to JavaScript apps, running in a browser.
• Client Credentials - Provides application level (non user specific) access to the resource server.
• Resource Owner Password Credentials - Optimized for cases where there is a trust relationship between the authorization server and the client. A thick client on a smart phone or desktop for example.
![Page 57: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/57.jpg)
Resource Owner Password Credentials Grant
Authorization Server Identity Provider
Resource Server
ex Facebookex Shutterfly
1. Request access token for user with: 1. client_id / secret 2. username, password
2. Access token
4. Access token
5. Resources
Client
![Page 58: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/58.jpg)
Example Application
![Page 59: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/59.jpg)
Android Client
Login Register Find Events
![Page 60: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/60.jpg)
Resource Owner Password Credentials Grant
Authorization Server Identity Provider
Resource Server
ex Facebookex Shutterfly
1. Request access token for user with: 1. client_id / secret 2. username, password
2. Access token
4. Access token
5. Resources
Client
![Page 61: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/61.jpg)
Resource Owner Password Credentials Grant
Authorization Server Identity Provider Resource Server
Client
Event ServiceEvent Client App
Authenticate
Access Resources w/ Token
![Page 62: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/62.jpg)
Event API
URI Method Body (JSON) Response
/register POST Registration Cmd Registration Cmd
/login POST Login Cmd OAuth Token
/events/{id} GET n/a Event
/events POST Event n/a
/events[?syncToken=token] GET n/a List<Event>
![Page 63: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/63.jpg)
Event API
URI Method Body (JSON) Response
/register POST Registration Cmd Registration Cmd
/login POST Login Cmd OAuth Token
/events/{id} GET n/a Event
/events POST Event n/a
/events[?syncToken=token] GET n/a List<Event>
![Page 64: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/64.jpg)
Login
• User login to get a tokenPOST https://localhost:8443/login Content-Type: application/json
{ "username": "joec123", "password": “secretPassword” }
1. Send an /oauth/token request with the appropriate information for a grant_type of password
![Page 65: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/65.jpg)
Token Via Resource Owner Password Credentials
• User Specific Access Token
{ "access_token": "54642d51-1fea-4309-a245-dcc43ffd57ac", "token_type": "bearer", "expires_in": 25222, "scope": "read write" }
Success Failure{ "timestamp": 1449367453794, "status": 401, "error": "Unauthorized", "message": "Bad credentials", "path": "/oauth/token" }
POST https://localhost:8443/oauth/token Authorization: Basic MDgyNDBiNGQtMDlmOS00NGZiLTg4ZjUtM2Q2ODIxZmUyOTIzOjZmMjMxMTA1LWZhZDQtNGFhNC05NTgxLTE4ZDVmNDhlYzgxMA== Accept: application/json Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded
username=joec123 password=secretPassword grant_type=password scope=read+write
Where the Basic Auth token is comprised of the client_id <== Username client_secret <== Password
![Page 66: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/66.jpg)
Login
• User login to get a token
HTTP 200 - Ok { "access_token": "54642d51-1fea-4309-a245-dcc43ffd57ac", "token_type": "bearer", "expires_in": 25222, "scope": "read write" }
POST https://localhost:8443/login Content-Type: application/json
{ "username": "joec123", "password": “secretPassword” }
• Successful Response
1. Send an /oauth/token request with the appropriate information for a grant_type of password
2. Return response to user
![Page 67: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/67.jpg)
Event API
URI Method Body (JSON) Response
/register POST Registration Cmd Registration Cmd
/login POST Login Cmd OAuth Token
/events/{id} GET n/a Event
/events POST Event n/a
/events[?syncToken=token] GET n/a List<Event>
![Page 68: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/68.jpg)
Securing Resources
• Resources secured by url pattern matchclass OAuth2ServerConfiguration {
public void configure(ResourceServerSecurityConfigurer resources) { resources .resourceId('event-api') } public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/register", "/login").permitAll() .anyRequest().authenticated() } }
@RolesAllowed(["ROLE_CLIENT"])class EventController { ... }
• Authorization based on role
![Page 69: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/69.jpg)
Database Schema
![Page 70: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/70.jpg)
On First Install
1. Add the event api to the oauth_client_details table.
2. Add ROLE_ADMIN, ROLE_CLIENT to the security_role table.
3. Add an admin user and associate with all roles.
![Page 71: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/71.jpg)
What we Covered
Synchronizing Data
Data Format & Protocol
Efficiency
Security • Privacy • Integrity & Trust • Authentication • Authorization
![Page 72: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/72.jpg)
Resources
• Sample Code
• Server - https://github.com/ericmaxwell2003/grailsEventService
• Android - https://github.com/ericmaxwell2003/androidEventClientApp
• iOS - https://github.com/ericmaxwell2003/iosEventClientApp
• OAuth Grant Types & Flows - http://oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html
• Credible Software - http://credible.software
![Page 73: Data Synchronization Patterns in Mobile Application Design](https://reader033.vdocument.in/reader033/viewer/2022052405/58edf6e61a28ab7b088b463f/html5/thumbnails/73.jpg)
Questions