3-Legged OAuth for Non-Web Clients

OAuth 2.0 is an awesome standard. It has made it much easier to discuss standard security flows, uses gloriously simple REST APIs and provides a very robust mechanism by which to provide third-party authorisation. Unfortunately, while the third party authorisation mechanisms are great for web clients, the fact that they rely upon browser redirects or collecting credentials in order to use the Resource Owner Password flow make them less awesome for third parties who are delivering API-driven experiences via mobile apps or smart devices.

In this scenario, we are looking for a mechanism by which we can provide informed consent to resource owners; doesn’t risk exposing user credentials to third parties; and can be API-driven for the third-party, not relying upon browser behaviour. In this post we will explore an approach that checks all of these boxes, something that I have called an ‘Out-of-band Consent’, in which credentials and consent are handled through a process which is entirely removed from the third-party requesting application.

Continue reading “3-Legged OAuth for Non-Web Clients”

Using Mobile Cloud Service to Design and Mock APIs

In this post we will explore utilising Mobile Cloud Service (MCS), which provides RAML based tooling, in order to define an API, and create mock services for that API which we can run anywhere. While Mobile Cloud Service provides a wide array of incredibly useful tools for rolling out APIs, and simplifying a number of common mobile development tasks; in this post I am going to focus exclusively on the API design tooling which far outstrips pretty much every other API design tool I have played with.

Continue reading “Using Mobile Cloud Service to Design and Mock APIs”