Identity Management

The BBM Enterprise SDK does not manage user identities or contact relationships for the application. The user "accounts" within the BBM Enterprise SDK represent users only within the SDK. Applications can re-use their existing user accounts and social network by associating application accounts to BBM Enterprise SDK accounts.

Each SDK application is expected to be already using an identity provider supporting OAuth and OpenID Connect. The BBM Enterprise SDK integrates with the identity provider to authenticate and associate users.

Authentication Flow

The following diagram illustrates the authentication flow.

Authentication Flow

After a user completes authentication with an application and its identity provider, the application obtains an OAuth access token from the identity provider and passes it to the BBM Enterprise SDK client and server. The BBM Enterprise SDK server first accesses the Token Info service to validate the client_id of the access token, and then accesses the User Info service to retrieve the user ID. Both endpoints are provided by the application's identity provider. The BBM Enterprise SDK client and server then communicate using an internal token. The process repeats when the internal token expires.

User Info Endpoint

The BBM Enterprise SDK requires the application's identity provider to provide the User Info Web service endpoint as described by the OpenID Connect Specification. The user identity claim from the service response is used as the user ID. The JSON field name of the user identity claim can be configured in the BBM Enterprise SDK to extract the claim from the service response.

Token Info Endpoint

The BBM Enterprise SDK validates that the access tokens provided by the application are generated by the application's OAuth provider specifically for the application, by invoking the OAuth provider's Token Info Web service endpoint to retrieve the client_id of each token and matching it with the client_id configured for the application. BlackBerry recommends following the RFC 7662 Oauth 2.0 Token Introspection, but can also work with token services that accepts HTTP GET with an access token parameter and returns the client ID in a JSON response.

In addition to the service URL, the following configuration items on the Token Info service are used by the BBM Enterprise SDK to invoke the service and process the response.

The BBM Enterprise SDK Sample applications demonstrate how to connect to BBM Enterprise Servers using Google Sign-In.