Mobile Authentication for iOS Applications - Stormpath 101

Transcript

1. Mobile Authentication for iOS Applications

2. Welcome! • Agenda • Stormpath 101 (5 mins) • Get

   Started with iOS (25 mins) • Q&A (30 mins) • Kaitlyn Barnard Marketing • Edward Jiang iOS Developer Evangelist

3. Speed to Market & Cost Reduction • Complete Identity solution

   out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance

4. Stormpath User Management User Data User Workflows Google ID Your

   Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML

5. Let’s talk about Authentication

6. None

7. Authentication Proving You Are Who You Say You Are

8. Common Methods of Authentication

9. Basic Authentication

10. Basic Authentication GET /resource HTTP/1.1 Authorization: Basic 3CjvTdI30yoMS1xr3byzuz 3CjvTdI30yoMS1xr3byzuz =

    Base64(“username:password”)

11. Session Authentication Username Password SessionID edjiang TxGA2UwvQ9qFTyzK 4zyCMdpxbtPXWgC8 demouser 5uGGNsn253UZRpbU

    kRqVCcqmwgEhkaH9

12. Server-Based Authentication • Easy to use and implement • Auth

    details are sent on every request • Auth details do not expire • Hard to scale, as verifying a request needs access to central database

13. OAuth 2 Token Authentication

14. OAuth 2 Token Authentication POST /oauth/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=password&

    username=username& password=password { "access_token": “eyJqdGkiOiI2UUxkc0xKeFlIZnU4M2…”, "refresh_token": “eyJqdGkiOiI2UUxkc0h6c2RoTXZWRV…”, "token_type": "Bearer", "expires_in": 3600 }

15. OAuth 2 Token Authentication GET /me HTTP/1.1 Authorization: Bearer eyJqdGkiOiI2UUxkc0xKeI…

    { "email": "[email protected]", "givenName": "Edward", "surname": "Jiang", "fullName": "Edward Jiang”, }

16. What is this token? eyJqdGkiOiI2UUxkc0xKeFa…

17. Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9. { "typ": "JWT", "alg": "HS256" } It’s

    a JSON Web Token! Body eyJpc3MiOiJodHRwczovL2V4YW1wbGU uY29tIiwic3ViIjoidXNlcm5hbWUiLCJuYm YiOjE0NjIzMDcyNTgsImV4cCI6MTQ2Mj MxMDg1OCwiaWF0IjoxNDYyMzA3MjU4 fQ. Signature XcRsBv9qQUgmZwXmEyb1sa1M2GvIepy5r DKR5WmEpn0 HS256(header + “.” + body, signingKey) { "iss": "https://example.com", "sub": "username", "nbf": 1462307258, "exp": 1462310858, "iat": 1462307258 }

18. Token Authentication • More Secure o Auth details are sent

    on every request, BUT! o Auth token expires • Easy to scale, as servers can verify a token with the signing key • Extensible o Scale across multiple backend services o Can embed information in the JSON

19. LET’S LOOK AT SOME CODE!

20. iOS Resources • Stormpath Launches Mobile Support https://stormpath.com/blog/stormpath-mobile-support-ios-android/ • Tutorial:

    Build an iOS Application with Stormpath https://stormpath.com/blog/build-note-taking-app-swift-ios • Stormpath iOS SDK https://github.com/stormpath/stormpath-sdk-ios • iOS Example Application https://github.com/stormpath/stormpath-ios-notes-example

21. QUESTIONS?

22. THANK YOU