Mobile Authentication for iOS Applications - Stormpath 101
Transcript of Mobile Authentication for iOS Applications - Stormpath 101
MobileAuthenticationforiOSApplications
Welcome!
• Agenda• Stormpath 101 (5 mins)
• Get Started with iOS (25 mins)
• Q&A (30 mins)
• Kaitlyn BarnardMarketing
• Edward JiangiOS Developer Evangelist
Speed to Market & Cost Reduction
• Complete Identity solution out-of-the-box
• Security best practices and updates by default
• Clean & elegant API/SDKs
• Little to code, no maintenance
Stormpath User Management
UserData
UserWorkflows Google ID
YourApplicationsApplication SDK
Application SDK
Application SDK
IDIntegrations
ActiveDirectory
SAML
Let’stalkaboutAuthentication
AuthenticationProving You Are Who You Say You Are
CommonMethodsofAuthentication
Basic Authentication
Basic Authentication
GET /resource HTTP/1.1
Authorization: Basic 3CjvTdI30yoMS1xr3byzuz
3CjvTdI30yoMS1xr3byzuz =
Base64(“username:password”)
Session Authentication
Username Password SessionID
edjiang TxGA2UwvQ9qFTyzK 4zyCMdpxbtPXWgC8
demouser 5uGGNsn253UZRpbU kRqVCcqmwgEhkaH9
Server-Based Authentication
• Easy to use and implement
• Auth details are sent on every request
• Auth details do not expire
• Hard to scale, as verifying a request needs access to
central database
OAuth 2TokenAuthentication
OAuth 2 Token Authentication
POST /oauth/token HTTP/1.1Content-Type: application/x-www-form-urlencoded
grant_type=password&username=username&password=password
{"access_token": “eyJqdGkiOiI2UUxkc0xKeFlIZnU4M2…”,"refresh_token": “eyJqdGkiOiI2UUxkc0h6c2RoTXZWRV…”,"token_type": "Bearer","expires_in": 3600
}
OAuth 2 Token Authentication
GET /me HTTP/1.1
Authorization: Bearer eyJqdGkiOiI2UUxkc0xKeI…
{
"email": "[email protected]",
"givenName": "Edward",
"surname": "Jiang",
"fullName": "Edward Jiang”,
}
What is this token?eyJqdGkiOiI2UUxkc0xKeFa…
HeadereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV
CJ9.
{"typ": "JWT","alg": "HS256"
}
It’s a JSON Web Token!
BodyeyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoidXNlcm5hbWUiLCJuYmYiOjE0NjIzMDcyNTgsImV4cCI6MTQ2MjMxMDg1OCwiaWF0IjoxNDYyMzA3MjU4fQ.
SignatureXcRsBv9qQUgmZwXmEyb1sa1M2GvIepy5rDKR5WmEpn0
HS256(header + “.” + body, signingKey)
{"iss":
"https://example.com","sub": "username","nbf": 1462307258,"exp": 1462310858,"iat": 1462307258
}
Token Authentication
• More Secure
o Auth details are sent on every request, BUT!
o Auth token expires
• Easy to scale, as servers can verify a token with the signing
key
• Extensible
o Scale across multiple backend services
o Can embed information in the JSON
LET’S LOOK AT SOME CODE!
iOS Resources
• Stormpath Launches Mobile Support https://stormpath.com/blog/stormpath-mobile-support-ios-android/
• Tutorial: Build an iOS Application with Stormpathhttps://stormpath.com/blog/build-note-taking-app-swift-ios
• Stormpath iOS SDKhttps://github.com/stormpath/stormpath-sdk-ios
• iOS Example Application https://github.com/stormpath/stormpath-ios-notes-example
QUESTIONS?
THANK YOU