Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
3. DEVELOPER TOOLS FOR AUTHENTICATION
• Stormpath — Authentication as a Service
• Web Framework Integrations — Authentication in your web framework of choice
• Apache Shiro — Java security framework
• JWTK — JWT libraries for JavaScript & Java
• Simplicity — Easy social login for iOS
• Turnstile — Authentication framework for server-side Swift
5. A U T H E N T I C AT I O N
H O W D O E S I T W O R K ?
6. A U T H E N T I C AT I O N
I T ’ S A B O U T P R O V I N G T H AT Y O U A R E
W H O Y O U S AY Y O U A R E
7. BASIC AUTHENTICATION
GET / HTTP/1.1
Authorization: Basic Base64(username:password)
• Easy and convenient, but insecure
• Username / password needs to be stored on the device
• Username / password are sent on every request
8. TOKENIZATION
“myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA”
• No risk of losing the username/password from the device
• Device credentials can be independently revoked from the username/password
9. COOKIE AUTHENTICATION
GET / HTTP/1.1
Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA
• Convenient: the server sets a cookie, and the HTTP Client automatically takes care of
authentication
• Server-side logic for authentication can be shared between mobile and web
• Downside: hard to understand state
10. BEARER AUTHENTICATION
GET / HTTP/1.1
Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA
• Slightly more complicated: Need to write an endpoint, and a format for the client to
understand
• Need to deal with storing the token (use the iOS Keychain or Android
SharedPreferences)
• But ultimate control over token usage, and state. Preferred method
11. STATELESS TOKENS
• Used at scale in larger APIs
• Self contained, unlike “dumb” / opaque tokens
• Can be validated easily without a round trip to a central database
• Harder to use properly
13. STORMPATH MOBILE SDKS
• Uses the Stormpath API to authenticate users & validate their identity
• Authenticate to your APIs with Bearer Authentication
• Use JWTs for scalability
15. FINISHED RESULT
• GitHub: https://github.com/stormpath/stormpath-ios-example
• Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios
16. WHAT NEXT?
• Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for-
android-app
• Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest-
api-mobile-apps-using-node-js
• Talk to us! Email support@stormpath.com, or edward@stormpath.com
• Follow us @EdwardStarcraft and @goStormpath on Twitter