The idea behind Vereign mobile app is to provide access to our Dashboard app via WebView and to give ability to 3rd party mobile applications to gain access to our restful-api via Oauth2 protocol. We are using app links to communicate between 3rd Party App, Vereign Auth App and Browser via GET protocol.
# Theory
- https://tools.ietf.org/html/rfc8252 (This is best current practice proposed by Google for mobile base authentication)
# Security Concerns
App links usually creates internal "Internet" network in the User Device, but still apps can not use https for communication, which could lead to lack of authenticity and privacy in that communication. IETF suggests to have random generated token sent to Oauth2 server and secret keys to be stored in 3rd Party App server.
...
...
@@ -10,9 +13,6 @@ App links usually creates internal "Internet" network in the User Device, but st
Better approach is to use Public(Certificates)/Private keys encryption scheme where private keys are stored in both Vereign and 3rd Party App servers. Vereign Auth App generates Symmetric Key for every auth request coming from 3rd Party App and encrypts the Symmetric Key with Vereign Server Certificate. Later Vereign server will decrypt 3rd Party App Return Link and will encrypt it with the Symmetric Key generated by Vereign App. Access and Refresh Tokens will be encrypted with 3rd Party App Server certificate.
# Theory
- https://tools.ietf.org/html/rfc8252 (This is best current practice proposed by Google for mobile base authentication)
