MobileAuthenticationforiOSApplications

Welcome!

• Agenda• Stormpath 101 (5 mins)

• Get Started with iOS (25 mins)

• Q&A (30 mins)

• Kaitlyn BarnardMarketing

• Edward JiangiOS Developer Evangelist

Speed to Market & Cost Reduction

• Complete Identity solution out-of-the-box

• Security best practices and updates by default

• Clean & elegant API/SDKs

• Little to code, no maintenance

Stormpath User Management

UserData

UserWorkflows Google ID

YourApplicationsApplication SDK

Application SDK

Application SDK

IDIntegrations

Facebook

ActiveDirectory

SAML

Let’stalkaboutAuthentication

AuthenticationProving You Are Who You Say You Are

CommonMethodsofAuthentication

Basic Authentication

Basic Authentication

GET /resource HTTP/1.1

Authorization: Basic 3CjvTdI30yoMS1xr3byzuz

3CjvTdI30yoMS1xr3byzuz =

Base64(“username:password”)

Session Authentication

Username Password SessionID

edjiang TxGA2UwvQ9qFTyzK 4zyCMdpxbtPXWgC8

demouser 5uGGNsn253UZRpbU kRqVCcqmwgEhkaH9

Server-Based Authentication

• Easy to use and implement

• Auth details are sent on every request

• Auth details do not expire

• Hard to scale, as verifying a request needs access to

central database

OAuth 2TokenAuthentication

OAuth 2 Token Authentication

POST /oauth/token HTTP/1.1Content-Type: application/x-www-form-urlencoded

grant_type=password&username=username&password=password

{"access_token": “eyJqdGkiOiI2UUxkc0xKeFlIZnU4M2…”,"refresh_token": “eyJqdGkiOiI2UUxkc0h6c2RoTXZWRV…”,"token_type": "Bearer","expires_in": 3600

}

OAuth 2 Token Authentication

GET /me HTTP/1.1

Authorization: Bearer eyJqdGkiOiI2UUxkc0xKeI…

{

"email": "edward@stormpath.com",

"givenName": "Edward",

"surname": "Jiang",

"fullName": "Edward Jiang”,

}

What is this token?eyJqdGkiOiI2UUxkc0xKeFa…

HeadereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV

CJ9.

{"typ": "JWT","alg": "HS256"

}

It’s a JSON Web Token!

BodyeyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoidXNlcm5hbWUiLCJuYmYiOjE0NjIzMDcyNTgsImV4cCI6MTQ2MjMxMDg1OCwiaWF0IjoxNDYyMzA3MjU4fQ.

SignatureXcRsBv9qQUgmZwXmEyb1sa1M2GvIepy5rDKR5WmEpn0

HS256(header + “.” + body, signingKey)

{"iss":

"https://example.com","sub": "username","nbf": 1462307258,"exp": 1462310858,"iat": 1462307258

}

Token Authentication

• More Secure

o Auth details are sent on every request, BUT!

o Auth token expires

• Easy to scale, as servers can verify a token with the signing

key

• Extensible

o Scale across multiple backend services

o Can embed information in the JSON

LET’S LOOK AT SOME CODE!

iOS Resources

• Stormpath Launches Mobile Support https://stormpath.com/blog/stormpath-mobile-support-ios-android/

• Tutorial: Build an iOS Application with Stormpathhttps://stormpath.com/blog/build-note-taking-app-swift-ios

• Stormpath iOS SDKhttps://github.com/stormpath/stormpath-sdk-ios

• iOS Example Application https://github.com/stormpath/stormpath-ios-notes-example

QUESTIONS?

THANK YOU