Skip to content
This repository was archived by the owner on Jul 3, 2024. It is now read-only.

Home

Jump to bottom
dselvara edited this page Sep 28, 2018 · 9 revisions

Short Name

Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile Foundation

Short Description

This code pattern shows how developers can leverage IBM Mobile Foundation service to implement following user authentication mechanisms:

  • Enterprise login by connecting to on-premise LDAP server using Secure Gateway.
  • Social login such as Google login and Facebook login.

Offering Type

Cloud, Mobile

Introduction

User authentication is a fundamental requirement in almost all enterprise mobile apps. For internal mobile apps such as those related to payroll, leave and business travel booking, organizations want to leverage single-sign-on by authenticating users against its on-premise LDAP server. And for apps targeted to end users where enterprise data is not exposed such as, an app for product users that allows them to raise service requests, allowing users to authenticate using their social login such as Facebook login/Google login would be much easier. In this developer code pattern, we show you how to authenticate users through social Login and enterprise login.

Author

Devipriya Selvarajan , Shikha Maheshwari

Code

https://github.com/IBM/MFP-Auth-LDAP

Demo

https://youtu.be/xhk_LrOcsJ0

Video

https://youtu.be/YgGgK-SxhxI

Overview

When developing your enterprise mobile application, authentication and security are the most important features to be addressed. The authentication mechanism for the mobile app could be the enterprise LDAP server and/or through Social Login, which has become common authentication method in many mobile apps.

This code pattern gives you step by step instructions for developing an Ionic/Cordova based hybrid mobile app that leverages Mobile Foundation service to implement both the login mechanisms in one app.

When you have completed this pattern, you will understand:

  • How to achieve user authentication in mobile apps where the user repository is an enterprise LDAP server.
  • How to achieve user authentication in mobile apps using Social login mechanisms like Google or Facebook.
  • How to write MFP adapters that fetch data from Cloud Object Storage service and Cloudant service.
  • How to capture user’s geo-location & image from camera and show in Google Maps

Flow

Social Login

Architecture diagram - Social Login

The diagram above illustrates the login flow (here described with Google but also relevant to Facebook or other social providers). The diagram shows that the trigger to call social providers is initiated by the client.

  1. User launches the mobile app, and clicks on 'Google Sign In' button in the login screen.
  2. The Google Android SDK calls the Google Sign-In REST service.
  3. The access token from Google is received and the App calls the login API, with scope social-login and credentials (vendor + token).
  4. The MFP SDK sends the credentials and scope to the Authorization Server API. The Authorization API calls the mapped security check social-login to validate the credentials.
  5. The social-login security check validates the Google token with its web client identifier from the security check configuration. The social-login returns the authenticated user to the Authorization Server API.
  6. The Authorization Server API returns the authenticated user data to the MFP SDK. The MFPSDK calls the handleSuccess method in the challenge handler with the authenticated user data. The MFP SDK calls login success callback on the app.
  7. If user authentication succeeds, mobile app proceeds to show the home page. As part of this, it makes a call to MFP adapter to fetch the data from Cloudant NoSQL database. MFP adapter fetches the data from Cloudant and returns it to the mobile app.
  8. The data fetched from Cloudant will have references to the images stored in Cloud Object Storage. Mobile app makes a call to MFP adapter to get the Authorization token for interacting with Cloud Object Storage service. MFP adapter makes a call to Cloud Object Storage service's token manager endpoint to get the Authorization token and returns it to the mobile app.
  9. Mobile app initializes image-caching plugin and fetches the images from Object Storage. Mobile app displays the data obtained from MFP adapter as a list of items.
  10. User clicks on one of the list item to see more details. A detail page is shown consisting of image and geo-location marked inside Google Maps.

Login through on-premise LDAP server

Architecture diagram - Login through on-premise LDAP server

  1. User launches the mobile app, and clicks on the login button in the login screen.
  2. Mobile app sends the user credentials to MFP server for validation. MFP server invokes the security adapter logic to validate user credentials.
  3. In this case, the security check adapter is a LDAP adapter which connects to the on-premise enterprise LDAP server through a secure gateway client, to do the user credential validation.
  4. The enterprise LDAP server validates the credentials and sends the response back to the MFP server through the secure gateway client.
  5. The MFP server returns the authenticated user data to the MFP SDK. The MFP SDK calls the handleSuccess method in the challenge handler with the authenticated user data. The MFP SDK calls login success callback on the app.
  6. If user authentication succeeds, mobile app proceeds to show the home page. As part of this, it makes a call to MFP adapter to fetch the data from Cloudant NoSQL database. MFP adapter fetches the data from Cloudant and returns it to the mobile app.
  7. The data fetched from Cloudant will have references to the images stored in Cloud Object Storage. Mobile app makes a call to MFP adapter to get the Authorization token for interacting with Cloud Object Storage service. MFP adapter makes a call to Cloud Object Storage service's token manager endpoint to get the Authorization token and returns it to the mobile app.
  8. Mobile app initializes image-caching plugin and fetches the images from Object Storage. Mobile app displays the data obtained from MFP adapter as a list of items.
  9. User clicks on one of the list item to see more details. A detail page is shown consisting of image and geo-location marked inside Google Maps.

Included Components

  • Cloudant NoSQL DB: A fully managed data layer designed for modern web and mobile applications that leverages a flexible JSON schema.
  • Cloud Object Storage: A highly scalable cloud storage service, designed for high durability, resiliency and security.
  • Mobile Foundation: A scalable mobile access gateway powered by the market-leading IBM Mobile Foundation Technology. The service offers a comprehensive set of mobile backend capabilities such as, App life cycle, Push, Analytics, Feature Toggle, Security and Authentication and offline synch.
  • Secure Gateway: A quick, easy, and secure solution that provides a persistent connection between on-premises or third party cloud environments and the IBM Cloud.

Featured Technologies

  • Mobile: Systems of engagement are increasingly using mobile technology as the platform for delivery.

Blog

This blog is in continuation to part 1 of the series documented here -https://developer.ibm.com/code/2018/02/08/speeding-development-enterprise-mobile-apps-using-open-source-technologies-cloud-services/. The first code pattern ‘Develop hybrid mobile app with cloud-native back end’ helps you to develop an hybrid app that securely connects to Cloudant NoSQL DB and IBM Cloud Object Storage services via the IBM Mobile Foundation service. In Part2, we are extending the functionality of the base pattern, to show how the application can be secured through enterprise LDAP server or social Login using MobileFirst Foundation security framework.

MobileFirst Foundation security framework is based on the OAuth 2.0 protocol, as defined in the OAuth Specification. According to this protocol, a resource can be protected by a scope that defines the required permissions for accessing the resource. To access a protected resource, the client must provide a matching access token, which encapsulates the scope of the authorization that is granted to the client.

The MobileFirst security framework maps scope elements into security checks, which implement the actual authorization logic. A security check is a server-side entity that implements the security logic for protecting server-side application resources. A simple example of a security check is a user-login security check that receives the credentials of a user and verifies the credentials against a user registry.

This code pattern shows how developers can leverage IBM Mobile Foundation service to implement user credential verification using

  • Enterprise LDAP registry
  • Social login such as Google login and Facebook login.

For more information on how Mobile Foundation works with enterprise LDAP please refer to https://mobilefirstplatform.ibmcloud.com/blog/2016/07/17/connecting-to-LDAP-with-ibm-mobilefirst-foundation/

For more information on Social Login authentication with IBM Mobilefirst Foundation please refer to https://mobilefirstplatform.ibmcloud.com/blog/2016/04/06/social-login-with-ibm-mobilefirst-platform-foundation/

Clone this wiki locally