Friday, December 3, 2021

3rd Party mobile app integrations

In real word context, there may be requirements to integrate external ( 3rd party ) mobile apps in to the principle app. The principle app basically facilitates with providing the customer base including it's own feature set. See the Figure 1


Figure 1 - 3rd Party integrations of mobile apps under one hood.


Identification of Information flow of such integration is very crucial. Token based authentication can be used in such integration. The Auth token is based on encrypted mobile no or email account or user account and the token generation time.  See the Figure 2




Figure 2 - Information flow of multiple app integration with a parent mobile app


Each 3rd party app must have it own model of token based authentication. Below approach has been used for high performance token generation and validation. This avoid sessions clustering, keeping token status in data bases. Also this support for load balancing as well.


Token is encrypted string of these 2 parameters ( mobile no / email / username,token-generated-time ). Each server of Auth module will be deployed with same encryption key. Based on these details, we can verify the user token is generated by the same set of servers as well as can check the token expiry time. JWT token based authentication is highly suitable for such implementation. This model support for Kubernetes / Microservice deployment.


In this approach we basically check whether token is generated from same Auth servers. Proposed token based authentication only for the 3rd party app servers not for the parent app's customer authentication. Customer authentication of parent app is it's own responsibility.


Figure 3 - Deployment same Encryption key in all nodes 


Key considerations during the implementation.

1. Proposed token based authentication only for the 3rd party app servers not for the parent app's customer authentication. Customer authentication of parent app is it's own responsibility.

2. Use the session storage of Parent App's to pass the auth token to 3rd party Web-UI / Native UI

3. Stateless Token generation based on same encryption key deployed among all auth server nodes.

4. API security assessment and vulnerability assessment by internal and external audit teams.

5. Align with Government regulations and Central bank regulations.

6. Load testing and rate limiters.

7. HTTPS based integrations

8. IP whitelisting to avoid unauthorized calls. 

9. API Gateway based integration among services.

10. Parent App request the customer consent to share account details during authentication 


at 1 comment:
Subscribe to: Posts (Atom)