2

I design a mobile application (Android for now) which depend on large ecosystem.

One of my main components is Auth system and I built it using IdentityServer3.

Now For user to login via the mobile application I use the OAuth2 implicit flow, so I opened a server side web page which take and validate user credentials, then generate id_token and access_token so I have no idea about the user password as client side.

Now, I want to implement another feature which is real-time chatting between users.

I checked a lot of solutions but everyone has a security weakness which may lead in the feature to an unwanted scenarios.

For Example:

  • QuickBlox:

QuickBlox clouding service (I don't know about the enterprise on-primes one) required to create a user then login with the user to create session using username and password.

    QBAuth.createSession(new QBUser("user", "pass"), new QBEntityCallback<QBSession>() {
    @Override
    public void onSuccess(QBSession session, Bundle params) {
        // success
    }

    @Override
    public void onError(QBResponseException error) {
        // errors
    }
});

So it has its own UserStore which is separate from my central Auth service, so I thought about creating a dummy password with a layer of security like creating a well defined password consist of

UserName@ServerSideSecretKey

But this is not the way that I should go on as I should depend on my Central Auth service and only generate token, then pass it to QuickBlox to identify my user through my Auth UserInfo endpoint.

Is it something like this which allow me integrate QuickBlox with my Auth service??

I found this line in the documentation:

It's also possible to initialize the SDK with an existent QuickBlox token. It can be interesting in cases when you build a big system and you have a custom server side which generates QuickBlox tokens:

try {
    QBAuth.createFromExistentToken("31ed199120fb998dc472aea785a1825809ad5c04", date);
} catch (BaseServiceException e) {
    e.printStackTrace();
}

but I don't understand how this will work or how to allow QuickBlox validate my generated OAuth2 token.

  • Firebase:

In Firebase, I know that I can generate JWT tokens, then validate it against my firebase service so I should change my IdentityServer token generation behaviour to be JWT and then validate it against the Firebase secret key that I applied?

So how can I do that in identity server with implicit flow? Or is there another solutions?

KENdi
  • 7,576
  • 2
  • 16
  • 31
Marzouk
  • 2,650
  • 3
  • 25
  • 56

0 Answers0