Improving the Mobile Federation Sign-In Experience
Session Topic: Improving the Mobile Federation Sign-In Experience
Tuesday 1G
Convener: George Fletcher
Notes-taker: George Fletcher
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
How to improve the mobile sign-in experience where the mobile app wants to allow users to login with Facebook or Google, but doesn't want to use the webkit mechanism because it forces the user to re-enter their login-id and password even if they already have the corresponding apps on their mobile device. Basically, we talked about how to use the locally authenticated apps as a mechanism to get a token (already part of the Facebook mobile SDK) and then exchange that token with the mobile app's OAuth2 Authorization Server to get the app an OAuth2 token to use with the Apps resource servers.
Maybe a more concrete example will help. ACME has built a mobile finance app with portfolios and other financial management capabilities. ACME provides a set of APIs protected by OAuth2 that the app users to provide it's features. ACME wants to allow users from Facebook and Google to use their existing identities to use the app.
In this example, if the ACME mobile app gets a token from the local mobile Facebook app, then the mobile app will need to exchange that FB token for an ACME token to use with the ACME OAuth2 protected APIs.
Conclusions:
- 1. Many people are dealing with this issue
- 2. All are dealing with it differently with different levels of security
- 3. Basic flow is to pass the social token obtained on the device to the OAuth2 AS using a "token exchange" flow