1

I am in process of designing a SaaS application over PaaS (Google App Engine). My SaaS will have two user interfaces:

  • Web Based
  • Mobile App based

Web based would be feature-rich whereas Mobile app would have essential and/or frequently used features.

Mobile app would invoke RESTful services to perform business logic.

This SaaS would target mainly individuals using Mobile Apps; however, there could a use-case wherein these individuals could form a group and operate as a company. So with that in mind, I am considering two entities: Account (Tenant) and User. I am considering having many-to-many relationship between these two entities as one user could be part of multiple Accounts (unlikely but can’t be ruled out) and of course, one account can have multiple users.

I would like to know the best practices for authentication under such scenario:

  • Should I use Google's provided Authentication or should I implement my own authentication? (I am still exploring OAuth and Google's authentication offering.)
  • I think, for web-based interface, username/password over SSL would suffice. But, not sure, can this be applied to mobile app?
  • Can I avoid a situation wherein I have to store credentials in mobile app?

Thanks in advance for any help you can provide on this.

A

user2663512
  • 23
  • 3

1 Answers1

0

Having just completed my first project using Google App Engine, I can say that I ran into alot of the questions that you have. I'll try to explain my approach to each point and also approach it from your perspective as well.

  1. Authentication - Generally using Google's auth would be the easiest route, but you would still have to implement a custom adaptation in order to work with the "company"/"group" concept. Implement in the datastore/whatever database you prefer to use an entity called "Groups" which have a list of google users... this way users can belong to many groups.. then you just search by property (user) to get all groups they belong to. I implemented my own authentication system for unrelated reasons.

  2. Google App Engine comes with SSL/HTTPS support for its own domains. You can add in your own custom domain with SSL support as well. You can use SSL through native apps or mobile web apps additionally. I simply used the native support that came with it.

  3. Yes and no. You will always have to store the credentials somewhere. Maybe it wont be in your apps code/directly connected to your app (Google auth would be an example). But somewhere, on your phone, the credentials WILL reside. They may be encrypted/obfuscated, but they will be there. So either have your user enter them in everytime, or save them/use the ones provided by the phone. For myself, .NET provided a nice way of storing credentials in a secure fashion (non-plain-text) for each user's machine.

Zerkz
  • 686
  • 1
  • 6
  • 25
  • Thanks for the reply which clarifies the authentication in this scenario to a great deal. However, I have a question with respect to RESTful service invocation. How can mobile app securely call a RESTful service? I am considering two legged OAuth but then it would add one more credential to the list, ain't it? what would your suggestion be? Thanks- A. – user2663512 Aug 21 '13 at 19:05
  • I'm not an expert on OAuth (but I assume it has to do with two-factor auth?). Basically, you are going to be using HTTPS. However, its highly looked down upon to leave any sensitive material in the URL for GET requests specifically. One common RESTFUL authentication method seems to be token based, as pointed out here :http://stackoverflow.com/questions/9201755/restful-service-authentication – Zerkz Aug 21 '13 at 20:04