Importance of security

On every platform security is important, and especially true when accessing any form of financial information.

There are many different solutions around identity and in the video below we explore Identity Server which is a great option for security on any platform, including mobile.

Working with a solution such as this will allow our app to not only be secure but also provide an easy process through which we can combine the security of our app to the security needed to access Moneyhub’s APIs.

Below is a short video that discusses the Identity Server and its use, the video transcript is also available below if you prefer to read than watch.
Introduction to Identity Server Video

The code can be found in the GitHub repo

Video transcript

In this video I’ll demonstrate how we can set up an identity server with user management and show how we can use a mobile app to log into this and call the API.

Apps consume data from APIs and we need a way to provide security so only authenticated and authorised users can use an app and the related APIs. We can use over OAuth 2.0 to achieve this.

OAuth 2.0 is an authorisation protocol that uses access tokens to secure APIs. I’ll present an open source example of implementation of IdentityServer using ASP.NET Core identity for user management, we can then look at an example mobile client.
OpenID Connect is built on OAuth 2.0 and is one of the newest authentication protocols. It allows an application to authenticate a user and provide token based secure access to APIs.

IdentityServer is an open source middleware implementation of OpenID Connect and OAuth 2.0 from ASP.NET Core host. IdentityServer is a mature implementation that has transitioned to a commercial product.

IdentityServer is built on .Net technology. It’s open source, and it’s free for development, small companies and charities. They offer single sign on, API protection, and complete control of workflows with off the shelf features built in. It has unlimited hosting options on premise, cloud, Windows, Linux, Docker, and Kubernetes. User management via ASP.NET Core identity is available, and 2FA and MFA support is also available.

Our focus is on creating mobile apps and these present different challenges to other apps such as browser based web apps. Mobile apps are considered public clients, so we need to ensure we don’t statically code any IDs or secrets used to access APIs within them. The best practice is to present a login page via a secure browser within the app and use the proof key for code exchange PKCE OAuth flow for mobile apps.

This uses a randomised code challenge rather than a secret. Should you use a third party API that uses an ID and secret we recommend wrapping this with an API using PKCE to keep the ID and secret server side.

The demo I’m going to show you combines IdentityServer version six with a minimal ASP.NET Core identity, providing user registration, log in, and lock out functionality.

These pages are razor pages and you can change the content of them.

There’s a discovery document available which has all the different endpoints available and also information about grant types, etc. and scopes.

We get a login page and also a registration of a new user page. So when you’ve logged in, we can see what the grants are. So these are various grants available for this user, and also we can look out. So having done that on a web page, you can get an example mobile app and when we log in from the app we’re using a secure browser.

OK we’ve logged in and now I can call the API. This API is just a standard weather forecast API that’s created in Visual Studio by default, but it’s protected with the token.

So that’s a very minimal example, but shows some of the power of IdentityServer.

I hope you found this demo useful. If you go to Appmilla’s GitHub you can find the repo and in this we have the IdentityServer and a number of different clients. The one I showed you and also some web and console clients, along with some supporting information.

You can read about the next stage of the project where we explain a security architecture allowing a mobile app to access the Moneyhub API here.

If you haven’t already you can read about the background to this project and the initial SDK client library to showcase Moneyhub’s APIs here.

If you are developing a mobile app using Open Banking and would like to discuss how we could support you on the project please get in touch.

Richard Woollcott

Author Richard Woollcott

More posts by Richard Woollcott