| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2022-09-15 |
secure mobile app, android, ios, authenticate users, authorization grant, client sdk, trusted client, native app, personalized, custom app, devices, identity flow, app security |
appid |
{:codeblock: .codeblock} {:screen: .screen} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:important: .important} {:note: .note} {:pre: .pre} {:tip: .tip} {:preview: .preview} {:deprecated: .deprecated} {:beta: .beta} {:term: .term} {:shortdesc: .shortdesc} {:script: data-hd-video='script'} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:troubleshoot: data-hd-content-type='troubleshoot'} {:help: data-hd-content-type='help'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:java: .ph data-hd-programlang='java'} {:javascript: .ph data-hd-programlang='javascript'} {:swift: .ph data-hd-programlang='swift'} {:curl: .ph data-hd-programlang='curl'} {:video: .video} {:step: data-tutorial-type='step'} {:tutorial: data-hd-content-type='tutorial'} {:ui: .ph data-hd-interface='ui'} {:cli: .ph data-hd-interface='cli'} {:api: .ph data-hd-interface='api'} {:release-note: data-hd-content-type='release-note'}
{: #mobile-apps}
With {{site.data.keyword.appid_full}}, you can quickly construct an authentication layer for your native or hybrid mobile app. {: shortdesc}
{: #understanding-mobile}
A mobile flow is useful when you are developing an app that is to be installed on a user's device (a native application). By using this flow, you can securely authenticate users on your app to provide personalized user experiences across devices.
{: #mobile-technical-flow}
Since native applications are installed directly on a user's device, private user information and application credentials can be extracted by third-parties with relative ease. By default, these types of applications are known as untrusted clients as they cannot store global credentials or user refresh tokens. As a result, untrusted clients require users to input their credentials every time their access tokens expire.
To convert your application into a trusted client, {{site.data.keyword.appid_short_notm}} uses Dynamic Client Registration{: external}. Before an application instance begins authenticating users, it first registers as an OAuth2 client with {{site.data.keyword.appid_short_notm}}. Because of client registration, your application receives an installation-specific client ID that can be digitally signed and used to authorize requests with {{site.data.keyword.appid_short_notm}}. Since {{site.data.keyword.appid_short_notm}} stores your application's corresponding public key, it can validate your request signature that allows your application to be viewed as a confidential client. This process minimizes your application's risk of exposing credentials indefinitely and greatly improves the user experience by allowing automatic token refresh.
Following registration, your users authenticate by using either the OAuth2 authorization code or resource owner password authorization grant{: external} flows to authenticate users.
{: #mobile-dynamic}
- A user triggers a request by the client application to the {{site.data.keyword.appid_short_notm}} SDK.
- If your app is not registered as a mobile client yet, the SDK initiates a dynamic registration flow.
- On a successful registration, {{site.data.keyword.appid_short_notm}} returns your installation-specific client ID.
{: #mobile-auth-flow}
{: caption="Figure 1. {{site.data.keyword.appid_short_notm}} mobile request flow" caption-side="bottom"}
- The {{site.data.keyword.appid_short_notm}} SDK starts the authorization process by using the {{site.data.keyword.appid_short_notm}}
/authorizationendpoint. - The login widget is displayed to the user.
- The user authenticates by using one of the configured identity providers.
- {{site.data.keyword.appid_short_notm}} returns an authorization grant.
- The authorization grant is exchanged for access, identity, and refresh tokens from the {{site.data.keyword.appid_short_notm}}
/tokenendpoint.
{: #configuring-mobile}
Get started with the {{site.data.keyword.appid_short_notm}} SDKs. {: shortdesc}
{: #mobile-before-begin}
You need the following information:
-
An {{site.data.keyword.appid_short_notm}} instance
-
Your instance's tenant ID. This can be found in the Service Credentials tab of your service dashboard.
-
Your instance's deployment {{site.data.keyword.cloud_notm}} region. You can find your region by looking at the console.
{{site.data.keyword.cloud_notm}} Region SDK value US South AppID.REGION_US_SOUTHSydney AppID.REGION_SYDNEYUnited Kingdom AppID.REGION_UKGermany AppID.REGION_GERMANY{: caption="Table 1. {{site.data.keyword.cloud_notm}} regions and corresponding SDK values" caption-side="top"}
{: #mobile-android}
Protect your mobile applications by using the {{site.data.keyword.appid_short_notm}} client SDK. {: shortdesc}
{: #mobile-android-before}
You must have the following prerequisites before you can get started:
- API 27 or higher
- Java 8.x
- Android SDK Tools 26.1.1+
- Android SDK Platform Tools 27.0.1+
- Android Build Tools version 27.0.0+
{: #mobile-android-install}
-
Create an Android Studio project or open an existing project.
-
Add the JitPack repository to your root
build.gradlefile.allprojects { repositories { ... maven { url 'https://jitpack.io' } } }
{: codeblock}
-
Find your application's
build.gradlefile. Note: Be sure to open the file for your app, not the projectbuild.gradlefile.-
Add the {{site.data.keyword.appid_short_notm}} client SDK to the dependencies section.
dependencies { compile group: 'com.github.ibm-cloud-security:appid-clientsdk-android:4.+' }
{: codeblock}
-
In the
defaultConfigsection, configure the redirect scheme.defaultConfig { ... manifestPlaceholders = ['appIdRedirectScheme': android.defaultConfig.applicationId] }
{: codeblock}
-
-
Synchronize your project with Gradle. Click Tools > Android > Sync Project with Gradle Files.
{: #mobile-android-initialize}
-
Pass the context, tenant ID, and region parameters to the initialize method to configure the SDK.
A common, though not mandatory, place to put the initialization code is in the
onCreatemethod of the main activity in your Android application. {: tip}AppID.getInstance().initialize(getApplicationContext(), <tenantID>, <region>);
{: codeblock}
{: #mobile-ios}
Protect your mobile applications by using the {{site.data.keyword.appid_short_notm}} client SDK. {: shortdesc}
{: #mobile-ios-before}
You must have the following prerequisites before you get started:
- Xcode 9.0 or higher
- CocoaPods 1.1.0 or higher
- iOS 10.0 or higher
{: #mobile-ios-install}
The {{site.data.keyword.appid_short_notm}} client SDK is distributed with CocoaPods, a dependency manager for Swift and Objective-C Cocoa projects. CocoaPods downloads artifacts, and makes them available to your project.
-
Create an Xcode project or open an existing one.
-
Create a new or open your existing
Podfilein the project's directory. -
Add the
IBMCloudAppIDpod anduse_frameworks!command to your target's dependenciestarget '<yourTarget>' do use_frameworks! pod 'IBMCloudAppID' end
{: codeblock}
-
Install your dependencies from the command line within your project directory.
pod install --repo-update
{: codeblock}
-
After installation, open the
{your app}.xcworkspacefile that contains your Xcode project and your linked dependencies -
Enable keychain sharing in your Xcode project. Navigate to Project Settings > Capabilities > Keychain Sharing and select Enable keychain sharing.
-
Open Project Settings > Info > URL Types, and add a URL Type. Place the following value in both the Identifier and the URL Scheme text boxes.
(PRODUCT_BUNDLE_IDENTIFIER)
{: codeblock}
{: #mobile-ios-initialize}
-
Initialize the client SDK by passing the tenant ID and region parameters to the initialize method.
AppID.sharedInstance.initialize(tenantId: <tenantID>, region: <region>)
{: codeblock}
A common, though not mandatory, place to put the initialization code is in the
application:didFinishLaunchingWithOptionsmethod of the AppDelegate file of your Swift application. {: tip} -
Import the {{site.data.keyword.appid_short_notm}} SDK to your
AppDelegatefile.import IBMCloudAppID{: codeblock}
-
Configure your application to process redirects through {{site.data.keyword.appid_short_notm}}.
func application(_ application: UIApplication, open url: URL, options :[UIApplication.OpenURLOptionsKey : Any]) -> Bool { return AppID.sharedInstance.application(application, open: url, options: options) }
{: codeblock}
{: #mobile-accessing-apis}
After a successful login flow, you can use your access and identity tokens to invoke protected backend resources that use the SDK or a networking library of your choice.
{: #mobile-access-api-swift}
-
Add the following imports to the file in which you want to invoke a protected resource request:
import BMSCore import IBMCloudAppID
{: codeblock}
-
Invoke your protected resource
BMSClient.sharedInstance.initialize(region: <region>) BMSClient.sharedInstance.authorizationManager = AppIDAuthorizationManager(appid: AppID.sharedInstance) let request = Request(url: "{your protected resource url}") request.send { (response: Response?, error: Error?) in guard let response = response, error == null else { print("An error occurred invoking a protected resources", error?.localizedDescription ?? "No response was received") return; } // use your response object })
{: codeblock}
{: #mobile-access-api-android}
-
Add the following imports to the file in which you want to invoke a protected resource request:
import com.ibm.mobilefirstplatform.clientsdk.android.core.api.BMSClient; import com.ibm.cloud.appid.android.api.AppIDAuthorizationManager;
-
Invoke your protected resource
BMSClient bmsClient = BMSClient.getInstance(); bmsClient.initialize(getApplicationContext(), <region>); AppIDAuthorizationManager appIdAuthMgr = new AppIDAuthorizationManager(AppID.getInstance()) bmsClient.setAuthorizationManager(appIdAuthMgr); Request request = new Request("{your protected resource url}", Request.GET); request.send(this, new ResponseListener() { @Override public void onSuccess (Response response) { Log.d("My app", "onSuccess :: " + response.getResponseText()); } @Override public void onFailure (Response response, Throwable t, JSONObject extendedInfo) { if (null != t) { Log.d("My app", "onFailure :: " + t.getMessage()); } else if (null != extendedInfo) { Log.d("My app", "onFailure :: " + extendedInfo.toString()); } else { Log.d("My app", "onFailure :: " + response.getResponseText()); } } });
{: codeblock}
{: #mobile-access-api-nosdk}
With the library of your choice, set your Authorization request header to use the Bearer authentication scheme to transmit the access token.
Example request format:
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer <accessToken> <optionalIdentityToken>{: screen}
{: #mobile-next}
With {{site.data.keyword.appid_short_notm}} installed in your application, you're almost ready to start authenticating users! Try doing one of the following activities next:
- Configure your identity providers
- Customize and configure the Login Widget
- Learn more about the Android SDK{: external}
- Learn more about the iOS Swift SDK{: external}