Ionic Framework has become formidable in the realm of mobile computing. Ionic allows an enterpreneur/developer to formulate, develop, test, deploy a product idea quickly and introduce that product into the marketplace faster than the competition.
One of the important features of a mobile application is the capability to share photos, images, and files. The Ionic application must have file transfer capabilities. File transfer involves copying, moving, deleting files from and into the mobile device. Ionic provides this capability by tapping into the Apache Cordova native library.
Cordova is a library that sits between ionic and the mobile platform or device operating system (e.g.: ios, android), and provides access to mobile device specific resources – such as the camera, audio, keyboard, and of course, file access.
Cordova provides these resources as a set of APIs in the form of plugins. Ionic needs to install the native plugins in order to have access to the API provided by the mobile device it runs on.
In the case of file transfer the plugin name Is cordova-plugin-file-transfer. More details are provided in the ionic developer docs site (https://ionicframework.com/docs/native/file-transfer/). Cordova file transfer uses http underneath as the messaging protocol.
So where does oauth2 come into play?
Most mobile applications would have some form of security mechanism provided to ensure the integrity of the communications channel between a mobile application and its backend system, or the providers of the resources to the front-end.
In order for the file transfer service to use this communications channel, it has to conform to the security guidelines provided by the communications channel.
In this case we want file-transfers to occur well within the confines of oauth2 security mechanism, to ensure that files being stored in the servers are not compromised; and there is no security loophole in the way these files are being moved into and out of the system.
So how do we incorporate and make file transfers secure using oauth2?
First we need to understand how oauth2 jwt works:
Oauth2
Oauth2 is version 2 of the oauth protocol, it is an authorization framework whereby two parties are guaranteed a secure channel by the authorization server by providing a secure token that the counter party can use to validate the authenticity of the other’s information.
JWT
JWT (JSON Web Tokens) is the token format used by oauth2. A token is a random string generated by the auth. server and is issued to a pre-registered resource user when it is requested at the start of a session or during authentication.
Client Registration
A resource user, or an application client must be registered and recognized by the auth service. The registration process is outside of the definition of oauth2, it only defines the parameters in the request and those to be returned by the auth. server.
Registration is only done once for every application client. The corresponding clientid and client-secret is then used every time the client authenticates to send requests to the resource servers.
ClientId and Secret
A registered resource user, or client is issued a ‘client id’ and a ‘client-secret’. This is then used to authenticate the client at the start of every session, and prior to the auth. service generating the tokens to be used for that session.
Session-less
By the way, oauth is a session-less protocol, this is to contrast with the traditional method whereby 2 entities maintain state after each request, throughout the life of the session.
In oauth, there is no state being maintained, each single request is atomic and is complete by itself. Thus rendering it less vulnerable to common session based security loopholes.
Oauth and session-less communication is also very suitable for micro services based systems, where a resource user will be talking to one or more resource servers at a time.
Tokens
Oauth2 will issue 2 types of tokens every time a jwt token is generated;
Access token is used and added to the http header in the request to the resource server. It has a limited lifetime. The limited lifetime of the token is actually a security mechanism. By constantly issuing new tokens for the lifetime of the session it prevents malicious users from latching on to a token to hijack the session.
Refresh token is used to send a token renewal request to the auth. server when the access token has expired. Thus the session will go unimpeded as long as we are able to send renewal requests and receive a new access token for subsequent client requests.
Java and Spring Security OAuth2 with JWT
You may be wondering why use Java Spring, and not some other framework. I have one micro services project built using java and spring. Java EE has always been the framework of choice when building large scale applications. I always find it faster to implement enterprise services using Java EE. I found it very convenient not having to look far for a security mechanism to incorporate into my application as it is already built in to the framework. It saved me a lot of time adding API security capabilty into my application. Thanks to Spring and it’s enterprise capabilities, you can build fast and focused on business requirements all throughout the implementation stage because the framework already has all the technical infrastructure required to build the system. The development effort was pleasant, and it was all a breeze actually. There should be no room for compromise or experimentation when It comes to implementing large scale systems.
Spring OAuth 2 is an implementation of OAuth2 on top of Spring Security. The authentication mechanism is provided by Spring Security. Illustration below shows the simplified authentication and authorization flow using Spring Security OAuth2 using JWT.
For this topic, I think it will suffice to be able to explain in simple terms how oauth2 jwt works. To dive into more details, there are tons of materials out there that can show the step by step configuration and programming of Spring Security OAuth2 JWT, here’s one link that I highly recommend – http://www.baeldung.com/spring-security-oauth-jwt.
In the next article, we will go through the example steps to incorporate file transfer into the oauth2 jwt. Until then, ciao.