Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/approov/appauth-oauth2-approov

Strengthens OAuth2 authorization by using mobile app attestation
https://github.com/approov/appauth-oauth2-approov

api-security approov approov-mobile-quickstart mobile mobile-security

Last synced: 3 days ago
JSON representation

Strengthens OAuth2 authorization by using mobile app attestation

Awesome Lists containing this project

README 

        
## Strengthening OAuth2 for Mobile Clients



[OAuth2](https://oauth.net/2/), often combined with

[OpenID-Connect](http://openid.net/connect/), is a popular authorization 

framework that enables applications to protect resources from unauthorized access. 

It delegates user authentication to an authorization service, which then authorizes 

third-party applications to access the protected resources on the user’s behalf. OAuth2 

provides authorization flows for both web and mobile applications.



OAuth2's most popular flow is the authorization code grant flow which is used to authorize 

confidential clients access to protected resources. Clients use a `client_id` to identify 

themselves and a `client_secret` to authenticate themselves to the authorization service.



Unfortunately, native mobile clients are not good at keeping static secrets. 

Since a public client secret is no secret at all, many identity and authorization 

service providers simply drop the client secret. Either way, without proper client

authentication, the OAuth2 flow is subject to code exchange attacks and/or client app

impersonation.



A dynamic app authentication service such as [Approov](https://www.approov.io/demo-reg.html), 

which is freely used in this demo, can be used to reintroduce confidential client

authentication into the mobile client OAuth2 flow.



### AppAuth



[AppAuth](https://appauth.io/) is an open source SDK for native Android and iOS

apps which implements best-practice [OAuth2](https://tools.ietf.org/html/rfc6749) 

and [OpenID-Connect](http://openid.net/specs/openid-connect-core-1_0.html) (OIDC) 

specifications in a platform friendly manner.



The SDK follows [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps) best practices,

including the [PKCE](https://tools.ietf.org/html/rfc7636) extension and custom

tab browsers. The library provides hooks to further extend the protocol beyond

the basic flow.



As an open source project, [AppAuth](https://appauth.io/) has GitHub

repositories for [Android](https://github.com/openid/AppAuth-Android) and

[iOS](https://github.com/openid/AppAuth-iOS) which include good documentation, a

demo app, and integration with multiple authorization services.



### Getting Started



A sample app, implemented in Android, provides a concrete example using AppAuth

and Approov to authorize access to private resources. The Books App uses the Google Books

API and *Google* Sign-In services to search for books (protected by API key) and

show a signed-in user’s favorite book selections (protected by OAuth2). 

The app was developed on Android to

further explore AppAuth SDK usage with a common application architecture and

support libraries.



An OAuth2 adapter, implemented in node, is used to add Approov app authentication into the existing Google OAuth2

code grant flow. 



To follow along, start by cloning the AppAuth-OAuth2-Approov project on GitHub available at

[github.com/approov](https://github.com/approov). It requires some

configuration, so it will not run out of the box. At a minimum, you will need to

provide a keystore, Google API key, and Google OAuth2 credentials.



See the article **Strengthening OAuth2 for Mobile** at the [Approov blog](https://approov.io/blog) or on [Medium](https://medium.com/@skiph) 

for instructions on how to get the app and adpater service running.