Layer7 API Management

Expand all | Collapse all

Oauth for a mobile App with out using  MAG SDK

Jump to Best Answer
  • 1.  Oauth for a mobile App with out using  MAG SDK

    Posted 01-29-2018 10:35 AM

    hi,

     

    I am looking for information on getting started with one of requirement, where in app team want to use OAUTH for mobile application but do not want to go with  MAG SDK.

    Is there any documentation indicating for app teams the approach they need to follow for the use case to work .

    All we have after client registration is the .json file with bunch of endpoints.

    which end point call should the invoked by the app team and what are the inputs for each.. ?

     

    Thanks in advance



  • 2.  Re: Oauth for a mobile App with out using  MAG SDK

    Posted 01-29-2018 03:05 PM

    Hi @STS_MGW

     

    My name is Carina Ramello, and I'm the product owner of Mobile SDKs for MAG. As you may know, the Mobile SDK abstracts the complexity from the endpoints and workflows you mentioned.

    Will you be interesting in having a call with us to go through your requirements? We would like to understand the rationale to not use the SDK and help you to navigate the documentation if you need to use the MAG services.

     

    Thanks!

     

    Carina Ramello | Product Owner



  • 3.  Re: Oauth for a mobile App with out using  MAG SDK

    Posted 01-29-2018 03:36 PM

    Hi Carina,

     

    This is the Ask by the app team, where they do not want to redeploy the code every mag sdk release as needed.

    In this approach where in the Web apps and Mobile apps that want to avail only Oauth features from gateway with out SDK

    what is the approach to follow.Any document supporting the needed actions by app team ?

     

     

    Thanks!



  • 4.  Re: Oauth for a mobile App with out using  MAG SDK
    Best Answer

    Posted 01-29-2018 06:16 PM

    Hi there.

     

    Well, the complete redeploy will totally depend upon how you're actually using the SDK and if a newer version is fixing or adding something you were waiting for, or a big security breach, for instance. The SDK is like any other framework your app team is using. At some point, they get updated but it doesn't necessarily mean you got to update it right away and redeploy your apps.

     

    You mentioned only OAuth. Is there any other particular use case you want to use? If you do not have another particular use case, I would strongly recommend using the SDK due to some beneficial abstraction, as Carina mentioned before, that will save you guys tons of development time by providing a single and unique way to call endpoints where the CA Mobile API Gateway is protecting. Besides the plain OAuth, the SDK will give you mutual SSL OOB, which is basically an almost effortless second-factor authentication where the gateway (server) will get to know the mobile device (client) and the client will get to know the server.

     

    To use or not the SDK is a very fair question. I usually answer our customers by saying that the SDK is not doing anything that you could do yourself. Nothing is stopping your app team to build up your own SDK, from scratch, and provide the very same features. The question is, do you really want to invest time and money building and maintaining another SDK when the product itself provides you one, out of the box, with a bunch of features? Maybe you are going to find yourself asking this very same question in the future, when you find out that the framework, SDK or whatever you want to call the custom methods to use the CA Mobile API Gateway's API, you created has a bug and needs to be updated and the apps using it rebuilt.

     

    In another analogy, you can build your own car, right? You can buy all the parts, pieces, engine, etc, etc and build yourself a nice car, right? However, do you really want to invest time and money building something that is already there?  It's an operation question more than a technical one. That's my point here.

     

    If you guys really decide not to use the SDK then I would suggest that you write down all the use cases where the CA Mobile API Gateway would be protecting the API calls. It all boils down to what you want to do with those APIs and how.

     

    I hope that helps.

     

    --

    ac