mobile sso: are we there yet?
TRANSCRIPT
![Page 1: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/1.jpg)
MOBILE SSOARE WE THERE YET?
BRIAN CAMPBELL@__b_c
![Page 2: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/2.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 2
Formalities, Introductions, etc.
• I work @ Ping• You might know me as ‘that guy’ with the camera• Slides will be available
– at http://www.slideshare.net/briandavidcampbell
– & at https://twitter.com/__b_c
• 2 underscores +
• b +
• 1 underscore +
• c
![Page 3: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/3.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 3Yeah, that guy
![Page 4: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/4.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 4
Formalities, Introductions, etc.
• I work @ Ping• You might know me as ‘that guy’ with the camera• Slides will be available
– at http://www.slideshare.net/briandavidcampbell
– & at https://twitter.com/__b_c
• 2 underscores +
• b +
• 1 underscore +
• c
![Page 5: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/5.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 5
• Disclaimers– Views or opinions presented herein are solely my own and
do not necessarily represent those of the my employer– Wholly unqualified to talk about mobile– Primarily do server side development– And not even very much of that anymore
• So, um… WTF?– I know a few people involved with CIS– And I do use a mobile phone…
My ‘Safe Harbor’ Slide
![Page 6: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/6.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 6
Though not very well
![Page 7: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/7.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 7
But Sometimes…
An outsider’s perspective can help see where things just aren’t quite right
![Page 8: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/8.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 8as demonstrated by a semi-contrived little story about me and my phone
Premise: Single Sign-On just isn’t quite right
on mobile
![Page 9: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/9.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 9
I’m very busy and important
As you can see by my
opulent travel budget.
![Page 10: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/10.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 10
So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…
![Page 11: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/11.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 11
Just trying to join a meeting while out on the road.
![Page 12: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/12.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 12
![Page 13: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/13.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 13
![Page 14: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/14.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 14
![Page 15: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/15.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 15
![Page 16: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/16.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 16
![Page 17: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/17.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 17
![Page 18: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/18.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 18
![Page 19: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/19.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 19
![Page 20: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/20.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 20
![Page 21: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/21.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 21
![Page 22: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/22.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 22
![Page 23: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/23.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 23
![Page 24: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/24.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 24
![Page 25: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/25.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 25
![Page 26: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/26.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 26
Please excuse any intermittent time travel.
I had some technical difficulties with
something called “focus” and had to reshoot a few
images.
![Page 27: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/27.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 27
![Page 28: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/28.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 28
![Page 29: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/29.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 29
There’s my meeting!
![Page 30: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/30.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 30
![Page 31: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/31.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 31
(This happened on first use a long time ago)
![Page 32: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/32.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 32
![Page 33: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/33.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 33
![Page 34: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/34.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 34
!
![Page 35: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/35.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 35
![Page 36: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/36.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 36
![Page 37: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/37.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 37
![Page 38: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/38.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 38
![Page 39: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/39.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 39
![Page 40: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/40.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 40
![Page 41: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/41.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 41
![Page 42: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/42.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 42
![Page 43: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/43.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 43
![Page 44: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/44.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 44
![Page 45: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/45.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 45
![Page 46: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/46.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 46
Awkwar
d Tr
ansiti
on
![Page 47: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/47.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 47
• Behind the Scenes– Web Single Sign-On – OAuth 2.0 (ish)
![Page 48: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/48.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 48
Web Single Sign-On in one Slide• Typically
– SAML 2.0– OpenID Connect
• But also– SAML 1.1/1.0– OpenID 2.0– WS-Federation
• And maybe– Facebook Connect/Login– Whatever Twitter does– Various non-standard
approaches
Identity Provider
(IDP)
Service Provider
(SP)
Web Single Sign-On (SSO)
You O
nly L
ogin O
nce
![Page 49: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/49.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 49
OAuth 2.0 in one slide
• client: An application obtaining authorization and making protected resource requests.
– Native app on mobile device
• resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs).
• authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization.
A few other OAuth terms• Access token (AT) – Presented by client when accessed protected
resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token
without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS• Authorization endpoint – used by the client to obtain authorization
from the resource owner via user-agent redirection• Token endpoint – used for direct client to AS communication• Authorization Code – One time code issued by an AS to be
exchanged for an AT.
ClientResource
Server
Get a token
Use a token
AuthorizationServer
![Page 50: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/50.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 50
Web SSO + OAuth = Mobile SSO
Device
NativeApp
System Browser
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Enterprise or Social Identity
Provider
![Page 51: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/51.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 51
(1) Request Authorization• When user first needs to access some
protected resource (not logged in), the app launches the system browser with an authorization request
• ‘IDP Discovery’ can be done in the native application
Device
NativeApp
System Browser
1
https:// Home Service
1
Authorization Endpoint
Token Endpoint
Enterprise or Social Identity
Provider
https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z
A quick note about
Apple…
![Page 52: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/52.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 52
(1a) PKCE
https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z
• Proof Key for Code Exchange by OAuth Public Clients (PKCE)
– Binds the code exchange to the authorization request
– (RFC in waiting) https://tools.ietf.org/html/draft-ietf-oauth-spop
![Page 53: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/53.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 53
(2) Authenticate and Approve• Redirect to IDP for SSO & Service Provider
is the SP
Device
NativeApp
System Browser
https:// Home Service
2
Authorization Endpoint
Token Endpoint
Enterprise or Social Identity
Provider
• User approves the requested access
– (don’t skip this)
![Page 54: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/54.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 54
(3) Handle Callback• Authorization server returns control to the
app using HTTP redirection and includes an authorization code
– URI with a custom scheme registered to the app
• Reversed domain name as redirect_uri scheme
– Resistant to accidental collisions – Proof of domain ownership provides better recourse
against malicious collisions
Device
NativeApp
System Browser
https:// Home Service
3
Authorization Endpoint
Token Endpoint
3
Enterprise or Social Identity
Provider
HTTP/1.1 302 FoundLocation: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
![Page 55: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/55.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 55
(4) Trade Code for Token(s)
Device
NativeApp
System Browser
https:// Home Service
Authorization Endpoint
Token Endpoint
4
Enterprise or Social Identity
Provider
POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z
token endpoint request
![Page 56: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/56.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 56
(4a) PKCE Again
POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z
token endpoint request
![Page 57: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/57.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 57
(4b) Trade Code for Token(s)
Device
NativeApp
System Browser
https:// Home Service
Authorization Endpoint
Token Endpoint
4
Enterprise or Social Identity
Provider
POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store
{ "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc”}
token endpoint request
token endpoint response
![Page 58: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/58.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 58
(5) Use Access TokenAuthenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header
Device
NativeApp
System Browser
https:// Home Service
Authorization Endpoint
Token Endpoint
5
Enterprise or Social Identity
Provider
POST /api/update-status HTTP/1.1Host: rs.example.orgAuthorization: Bearer PeRTSD9RltacecQriuFfsxV41Content-Type: application/json
{"status" : "almost done with this presentation"}
![Page 59: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/59.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 59
Rinse and Repeat
• If All Goes well,
• And if not, HTTP 401• Use the refresh token to get a new access token• And if that doesn’t work or you don’t have a
refresh token, initiate the authorization request flow again
HTTP/1.1 200 OK
![Page 60: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/60.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 60
Some Folks Like to …
Device
NativeApp
System Browser
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Enterprise or Social Identity
Provider
![Page 61: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/61.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 61
… Use a Web-View
Device
NativeApp
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Web-View
Enterprise or Social Identity
Provider
but…
![Page 62: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/62.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 62
The Web-View Anti-Pattern• Usability Issues
– No shared context (cookie)– Requires sign-in once per app even when web SSO is possible
• Security Issues– Web-view typically isn’t sandboxed from invoking app so
credentials and authentication cookies can be stolen– Requires/encourages users to enter credentials without the address
bar and associated visual cues of site authenticity (HTTPS)
• Missing Features– Some web-views unable to access to client certificates– Generally unable to use password managers, etc.
![Page 63: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/63.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 63
What about OpenID Connect?
• A simple[sic] single sign-on and identity layer on top of OAuth 2.0
• Adds an ID Token (JWT) for user authentication to the client
• And a bunch of other stuff
![Page 64: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/64.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 64
What about OpenID Connect?
• Great for the web SSO part
• Can be layered on the OAuth part
Device
NativeApp
System Browser
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Enterprise or Social Identity
Provider
![Page 65: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/65.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 65
What about NAPPS?
• Intended to be a profile of OpenID Connect to enable an SSO model for native applications installed on mobile devices
• A Token Agent as the shared context
![Page 66: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/66.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 66
NAAPS NAPPS is Great!• It’s just not real (yet, anyway)
this one
um, no
“eventually”
![Page 67: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/67.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 67
Don’t Sleep on NAPPS?
• But not totally incompatible with approach discussed herein– (latest thinking,
anyway)
![Page 68: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/68.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 68
And really, who couldn’t use more NAPPS?
![Page 69: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/69.jpg)
Copyright © 2015 Brian Campbell. All rights reserved. 69
Near Term Recommendations
• Use OAuth 2.0 + PKCE – & maybe OpenID Connect
• Use Web SSO• Prompt for user consent (every time)• Use the System Browser• Use a reversed Internet domain name in
the custom scheme for the callback URI
![Page 70: Mobile SSO: are we there yet?](https://reader036.vdocument.in/reader036/viewer/2022062420/55b6e377bb61eb7e268b48ec/html5/thumbnails/70.jpg)
MOBILE SSOARE WE THERE YET?
BRIAN CAMPBELL@__b_c
THANKS! (time permitting)
QUESTIONS?