Back-End for Native Mobile Application

Summarize Flow

  1. The native mobile app requests an authentication URL from the backend server.

  2. The native mobile app opens the authentication URL through secure browser authentication session, which redirects the user to the sgID server for authorization.

  3. The user authorizes using their Singpass mobile app, and consents to share their data with the application.

  4. The sgID server sends an authorization code to a web URL which opens up to mobile app through universal links or web links, which performs a callback redirect to the backend server's callback URL.

  5. The backend server exchanges the authorization code for an access token and id token using its client ID and secret.

  6. The backend server then uses access token an obtain encrypted user information from sgID server.

  7. The backend server will then handle native mobile app authentication.

Complete Flow Diagram

Back-End for Native Mobile Application Flow Diagram

auth/login and /auth/callback endpoints are to be developed by RP as these endpoints serve as primary communication channel between RP Mobile App and RP Server.

Client Authentication Recommendation

Token-based authentication

Token-based authentication is a mechanism where the server creates a JSON Web Token (JWT) after successful authentication. The JWT is then sent to the client as a response to the authentication request, and the client stores the JWT in local storage or in a cookie. The client includes the JWT in subsequent requests, allowing the server to identify the user.

In this mechanism, client authentication is handled by the server, which creates a JWT after successful authentication. The JWT is then sent to the client, and the client includes the JWT in subsequent requests. The server can then verify the JWT to authenticate the client.

Best Practices

Secure authentication session through native browser instead of webviews

In traditional mobile app development, developers often use webviews to display web content within the app. This approach has a number of limitations, particularly when it comes to authentication and security. For example, webviews don't always provide the same level of security as a native browser, and can be vulnerable to attacks like cross-site scripting (XSS) and man-in-the-middle (MITM) attacks.

To address these security concerns, sgID recommends a secure authentication session through native browsers. This approach involves opening a secure authentication session in the user's default browser, rather than in a webview within the app. This provides a number of benefits, including:

  1. Stronger security: By using a native browser, you can take advantage of the browser's built-in security features, such as SSL/TLS encryption and certificate pinning. This helps to prevent attacks like MITM and XSS, and provides a more secure authentication experience for your users.

  2. Better user experience: Opening the authentication session in a native browser provides a smoother and more seamless user experience, since users can use their familiar browser settings and features like autofill and password managers.

  3. Improved compatibility: Using a native browser for authentication can help ensure that your app is compatible with a wider range of devices and operating systems, since you don't have to worry about differences in webview implementation.

To implement this approach, you can use the custom tabs for Android and ASWebAuthenticationSession for iOS. By following this recommendation, you can create a secure and seamless authentication experience for your users.

Universal links and web links to be used instead of custom URL schemes

In the context of mobile app development, custom URL schemes have traditionally been used to deep link into a specific page within an app from an external source such as a website or another app, in this case, callback page to handle authorization code. However, the use of custom URL schemes presents security risks and usability issues. A malicious actor can release malicious mobile application with same custom URL schemes as custom URL schemes are not mutually exclusive on a device.

Instead, developers are recommended to use Universal Links on iOS and Web Links on Android to provide a secure and seamless user experience. Universal Links and App Links use HTTPS to link to content within the app, and are verified by the operating system to ensure that they have not been tampered with. The web page will then open up the mobile application to handle authorization code callback which is much more secure.

PreviousBack-End for SPA Front-End (BFF)NextData Catalog

Last updated