BLACKBERRY DYNAMICS AUTHENTICATION TOKEN MECHANISM

The BlackBerry Dynamics Authentication Token mechanism enables applications to utilize the user identification that takes place during BlackBerry Dynamics authorization processing. This allows the user to be authenticated without the need for entry of any additional credentials at the device. This class includes the specific API for requesting tokens.

The BlackBerry Dynamics platform includes rigorous authentication of the end user. This is used when, for example, identifying whether the user is entitled to run the current application, and when applying security policies.

The BlackBerry Dynamics Authentication Token mechanism enables applications to take advantage of the authentication processes of the BlackBerry Dynamics platform.

BlackBerry Dynamics Auth tokens can be requested by the BlackBerry Dynamics application on the device. A token will only be issued if authorization processing has completed, and the end user's identity has been authenticated.
Once a token has been issued, the application on the device can send the token to the application server at the back end. The BlackBerry Dynamics Auth token can then be checked by the application server, using a verification service provided by the BlackBerry Dynamics infrastructure.

1. The application calls GetGDAuthToken(String, String)" to request a token.
2. All being well, a token is issued and the OnGDAuthTokenSuccess(String) callback is invoked and passed the new token.
3. The application sends the token, and the user ID of the end user, to its application server, using an HTTP request, socket, or some other method.
4. The application server checks that the token is valid by calling the verification service in the BlackBerry Dynamics Authentication Token Server API, hosted by an enterprise BlackBerry Proxy server.
5. The response from the verification service includes the user ID of the end user, if the token is valid. The application server can check that the value from the verification service is the same as that originally sent by the application.

The same token could be sent again later, and verified again. Calling the verification service does not cause the token to be consumed.

Note that the application can obtain the user ID of the end user from the GDAppConfigKeyUserId value in the collection returned by the GDWindows::GetApplicationConfig method.

CHALLENGE STRINGS

A challenge string can be passed as a parameter to the BlackBerry Dynamics Auth token request by the application. The same challenge string will then be provided to the application server, in the response from the verification service.

1. The application attempts to access a resource on the application server.
2. The application server generates a random challenge string.
3. The application server responds to the application with a denial of access message that includes the random challenge string.
4. The application requests a new BlackBerry Dynamics Auth token, and passes the value from the denial of access message as the challenge string.
5. The application again attempts to access the resource on the application server, but this time includes the BlackBerry Dynamics Auth token in the request.
6. The application server sends the token to the verification service, which responds with a challenge string.
7. The application server checks that the challenge string from the verification service is the same as the random challenge string initially sent to the application in the denial of access message.

The verification service provides the challenge string to the application server in an HTTP header, which limits the character set that can be utilized safely. All letters and numerals that lie in the ASCII range 32 to 126 can be utilized safely. Use of other characters is not supported.

Reference